W3C home > Mailing lists > Public > public-ietf-w3c@w3.org > September 2012

Re: web+ and registerProtocolHandler

From: Adam Barth <w3c@adambarth.com>
Date: Wed, 12 Sep 2012 09:52:10 -0700
Message-ID: <CAJE5ia_chKLHXyTU1KS89hTipPh-L5Qd01F_S2NMM1XPdndNOg@mail.gmail.com>
To: Peter Saint-Andre <stpeter@stpeter.im>
Cc: Larry Masinter <masinter@adobe.com>, "michel@suignard.com" <michel@suignard.com>, "tony@att.com" <tony@att.com>, "plh@w3.org" <plh@w3.org>, "adil@diwan.com" <adil@diwan.com>, "robin@berjon.com" <robin@berjon.com>, "ted.ietf@gmail.com" <ted.ietf@gmail.com>, "John O'Conner" <jooconne@adobe.com>, "presnick@qualcomm.com" <presnick@qualcomm.com>, "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, "chris@lookout.net" <chris@lookout.net>, "public-ietf-w3c@w3.org" <public-ietf-w3c@w3.org>
I should be clear that I'm not advocating "web+" as a good idea.  I'm
just explaining the security consequences of the various options.

Adam


On Wed, Sep 12, 2012 at 7:47 AM, Peter Saint-Andre <stpeter@stpeter.im> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> In the context of whitelisting vs. blacklisting, the concern I have
> with the prefixing idea is that it implicitly whitelists any URI
> scheme that starts with the string "web+", yet the proponents of this
> idea have not specified any criteria for review of such prefixed URI
> schemes (or even answered the questions raised here and elsewhere
> about whether additional review is needed for such schemes by the
> designated experts or the IANA).
>
> I agree that blacklisting doesn't scale and isn't secure. I disagree
> that implicit whitelisting is the answer.
>
> Peter
>
> On 9/10/12 9:56 AM, Adam Barth wrote:
>> It's just a practical issue.  Many folks have URI schemes
>> registered on their computers that are not safe for web sites to
>> hijack (i.e., register).  It's not practical to create an blacklist
>> that effectively mitigates that risk.  As it happens, we not aware
>> of any folks who have such registrations for URI schemes that begin
>> with "web+".
>>
>> Adam
>>
>>
>> On Mon, Sep 10, 2012 at 1:01 AM, Larry Masinter
>> <masinter@adobe.com> wrote:
>>> since this affects ietf and w3c, and public-ietf-w3c is publicly
>>> archived, could someone explain why allowing registering
>>> arbitrary web+xxx scheme handlers is any better than allowing
>>> arbitrary (unblacklisted) xxx scheme handlers?
>>>
>>>
>>> -----Original message-----
>>>
>>> From: Adam Barth <w3c@adambarth.com> To: Larry Masinter
>>> <masinter@adobe.com> Cc: "michel@suignard.com"
>>> <michel@suignard.com>, Tony Hansen <tony@att.com>, Philippe Le
>>> Hegaret <plh@w3.org>, Peter Saint-Andre <stpeter@stpeter.im>,
>>> Adil Allawi <adil@diwan.com>, Robin Berjon <robin@berjon.com>,
>>> Ted Hardie <ted.ietf@gmail.com>, John O'Conner
>>> <jooconne@adobe.com>, Pete Resnick <presnick@qualcomm.com>,
>>> "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, Chris Weber
>>> <chris@lookout.net> Sent: Sun, Sep 9, 2012 19:09:22 GMT+00:00
>>> Subject: RE: 85th IETF - Working Group/BOF/IRTF Scheduling -
>>> REMINDER
>>>
>>> We should discuss further on a publicly archived mailing list.
>>>
>>> Adam
>>>
>>> On Sep 9, 2012 12:00 PM, "Larry Masinter" <masinter@adobe.com>
>>> wrote:
>>>>
>>>> Why doesn't "web+"  introduce all the same problems a blacklist
>>>> approach (where everything is allowed unless explicitly
>>>> disallowed) introduces? That's kind of what Chris' tests are
>>>> showing.
>>>>
>>>> And what's the point, anyway, of a precise specification but
>>>> leaving out the necessary steps to implement the spec
>>>> securely?
>>>>
>>>>
>>>>
>>>> -----Original Message----- From: Adam Barth
>>>> [mailto:w3c@adambarth.com] Sent: Sunday, September 09, 2012
>>>> 10:20 AM To: Chris Weber Cc: Larry Masinter; "Martin J. Dürst";
>>>> Peter Saint-Andre; Philippe Le Hegaret; John O'Conner; Tony
>>>> Hansen; Ted Hardie; michel@suignard.com; Adil Allawi; Pete
>>>> Resnick; Robin Berjon Subject: Re: 85th IETF - Working
>>>> Group/BOF/IRTF Scheduling - REMINDER
>>>>
>>>> Folks can be unhappy with a whitelist all they want.  A
>>>> blacklist isn't secure and we won't implement it.
>>>>
>>>> Adam
>>>>
>>>>
>>>> On Sun, Sep 9, 2012 at 12:11 AM, Chris Weber
>>>> <chris@lookout.net> wrote:
>>>>> Thanks for the message Martin and Larry.  I will not be in
>>>>> Atlanta unfortunately,  I'm guessing Peter will..?  I'd be
>>>>> happy to schedule some design meeting time for next week
>>>>> after the expiring drafts have been re-submitted.
>>>>>
>>>>> As far as web+xxx, I'm still afraid that a user
>>>>> fingerprinting and tracking risk exists - though I didn't
>>>>> test the isProtocolHandlerRegistered() method for
>>>>> exploitability because it didn't exist, I see Safari has
>>>>> implemented it now and Chrome and Firefox have some active
>>>>> bugs for tracking.
>>>>>
>>>>> Also, I notice that some developers are not happy with the
>>>>> whitelist vs blacklist approach:
>>>>> https://github.com/jquery/standards/issues/12
>>>>>
>>>>> -Chris
>>>>>
>>>>> On 9/8/2012 9:32 AM, Larry Masinter wrote:
>>>>>> I'm planning to go to IETF Atlanta (direct from W3C TPAC in
>>>>>> Lyon)
>>>>>>
>>>>>> I'd like to better coordinate the IETF and W3C specs on
>>>>>> URLs, IRIs, etc. Doing so was my original motivation for
>>>>>> revising these specs in the first place. I'd like to also
>>>>>> see if we can make progress on "web+xxx" and (if it's still
>>>>>> in W3C specs) "http+aes".
>>>>>>
>>>>>> I see Chris is doing testing. Making progress on open
>>>>>> issues was stymied by lack of testing, so perhaps now that
>>>>>> we have some testing capabilities we can make more rapid
>>>>>> progress.
>>>>>>
>>>>>> Larry
>
> <snip/>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
> Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
>
> iEYEARECAAYFAlBQoGQACgkQNL8k5A2w/vxCAgCfXencuCpjpoP1OqvSvgCb2m/B
> OwcAnR7QcQGgy5ZGuuUS60Rcfu1ylNJk
> =T5l0
> -----END PGP SIGNATURE-----
Received on Wednesday, 12 September 2012 16:53:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 12 September 2012 16:53:12 GMT