W3C home > Mailing lists > Public > public-ietf-w3c@w3.org > September 2012

Re: web+ and registerProtocolHandler

From: Martin J. Dürst <duerst@it.aoyama.ac.jp>
Date: Thu, 13 Sep 2012 13:00:29 +0900
Message-ID: <50515A5D.8040700@it.aoyama.ac.jp>
To: Chris Weber <chris@lookout.net>
CC: Adam Barth <w3c@adambarth.com>, Peter Saint-Andre <stpeter@stpeter.im>, Larry Masinter <masinter@adobe.com>, "michel@suignard.com" <michel@suignard.com>, "tony@att.com" <tony@att.com>, "plh@w3.org" <plh@w3.org>, "adil@diwan.com" <adil@diwan.com>, "robin@berjon.com" <robin@berjon.com>, "ted.ietf@gmail.com" <ted.ietf@gmail.com>, "John O'Conner" <jooconne@adobe.com>, "presnick@qualcomm.com" <presnick@qualcomm.com>, "public-ietf-w3c@w3.org" <public-ietf-w3c@w3.org>
On 2012/09/13 4:04, Chris Weber wrote:
> It might be helpful to see some end-to-end use case scenarios for
> web+.  I can see the rather obvious ones, but have they been
> documented or discussed in more detail anywhere?
>
> Regarding registerProtocolHandler in general, how was the whitelist of
> allowed schemes determined?  Why is 'ssh' in the list?
>
> The crux of security defense with registerProtocolHandler comes down
> to yet another modal dialog presented to the end user,

This is indeed a serious problem; users usually don't read the questions 
in detail, or don't understand them, and just click through, after which 
it may be too late.

My understanding is that there are very similar dialogs for when making 
an application the default handler for a scheme. It's usually worded as 
"Do you want to make FOO-BROWSER your default browser?" or some such. Is 
there any data or experience reports on how well that works?

An alternative that should lower the amount of security problems would 
be to require that the user actively has to initiate the process. The 
Web application would have a page that says something like "If you want 
to make FooMail your default mail application, please select 
"Menu1->Option2..." from your browser and enter .... (Menu7->Option8 on 
BarBrowser).

+web is whitelisting rather than a blacklisting for deciding which 
schemes are eligible. Just having a clickthrough dialog for user 
approval looks way more like blacklisting, though.

Regards,   Martin.

> a troubling
> scenario given the enumerated list of threats in the spec:
>
> Hijacking all Web usage
> Hijacking defaults
> Registration spamming
> Misleading titles
> Hostile handler metadata
> Leaking Intranet URLs
> Leaking secure URLs
> Leaking credentials
>
> Best regards,
> -Chris
>
>
> On 9/12/2012 9:52 AM, Adam Barth wrote:
>> I should be clear that I'm not advocating "web+" as a good idea.
>> I'm just explaining the security consequences of the various
>> options.
>>
>> Adam
>>
>>
>> On Wed, Sep 12, 2012 at 7:47 AM, Peter Saint-Andre
>> <stpeter@stpeter.im>  wrote: In the context of whitelisting vs.
>> blacklisting, the concern I have with the prefixing idea is that
>> it implicitly whitelists any URI scheme that starts with the
>> string "web+", yet the proponents of this idea have not specified
>> any criteria for review of such prefixed URI schemes (or even
>> answered the questions raised here and elsewhere about whether
>> additional review is needed for such schemes by the designated
>> experts or the IANA).
>>
>> I agree that blacklisting doesn't scale and isn't secure. I
>> disagree that implicit whitelisting is the answer.
>>
>> Peter
>>
>> On 9/10/12 9:56 AM, Adam Barth wrote:
>>>>> It's just a practical issue.  Many folks have URI schemes
>>>>> registered on their computers that are not safe for web
>>>>> sites to hijack (i.e., register).  It's not practical to
>>>>> create an blacklist that effectively mitigates that risk.  As
>>>>> it happens, we not aware of any folks who have such
>>>>> registrations for URI schemes that begin with "web+".
>>>>>
>>>>> Adam
>>>>>
>>>>>
>>>>> On Mon, Sep 10, 2012 at 1:01 AM, Larry Masinter
>>>>> <masinter@adobe.com>  wrote:
>>>>>> since this affects ietf and w3c, and public-ietf-w3c is
>>>>>> publicly archived, could someone explain why allowing
>>>>>> registering arbitrary web+xxx scheme handlers is any
>>>>>> better than allowing arbitrary (unblacklisted) xxx scheme
>>>>>> handlers?
>>>>>>
>>>>>>
>>>>>> -----Original message-----
>>>>>>
>>>>>> From: Adam Barth<w3c@adambarth.com>  To: Larry Masinter
>>>>>> <masinter@adobe.com>  Cc: "michel@suignard.com"
>>>>>> <michel@suignard.com>, Tony Hansen<tony@att.com>,
>>>>>> Philippe Le Hegaret<plh@w3.org>, Peter Saint-Andre
>>>>>> <stpeter@stpeter.im>, Adil Allawi<adil@diwan.com>, Robin
>>>>>> Berjon<robin@berjon.com>, Ted Hardie
>>>>>> <ted.ietf@gmail.com>, John O'Conner<jooconne@adobe.com>,
>>>>>> Pete Resnick<presnick@qualcomm.com>, "Martin J. Dürst"
>>>>>> <duerst@it.aoyama.ac.jp>, Chris Weber<chris@lookout.net>
>>>>>> Sent: Sun, Sep 9, 2012 19:09:22 GMT+00:00 Subject: RE:
>>>>>> 85th IETF - Working Group/BOF/IRTF Scheduling - REMINDER
>>>>>>
>>>>>> We should discuss further on a publicly archived mailing
>>>>>> list.
>>>>>>
>>>>>> Adam
>>>>>>
>>>>>> On Sep 9, 2012 12:00 PM, "Larry Masinter"
>>>>>> <masinter@adobe.com>  wrote:
>>>>>>>
>>>>>>> Why doesn't "web+"  introduce all the same problems a
>>>>>>> blacklist approach (where everything is allowed unless
>>>>>>> explicitly disallowed) introduces? That's kind of what
>>>>>>> Chris' tests are showing.
>>>>>>>
>>>>>>> And what's the point, anyway, of a precise specification
>>>>>>> but leaving out the necessary steps to implement the spec
>>>>>>> securely?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -----Original Message----- From: Adam Barth
>>>>>>> [mailto:w3c@adambarth.com] Sent: Sunday, September 09,
>>>>>>> 2012 10:20 AM To: Chris Weber Cc: Larry Masinter;
>>>>>>> "Martin J. Dürst"; Peter Saint-Andre; Philippe Le
>>>>>>> Hegaret; John O'Conner; Tony Hansen; Ted Hardie;
>>>>>>> michel@suignard.com; Adil Allawi; Pete Resnick; Robin
>>>>>>> Berjon Subject: Re: 85th IETF - Working Group/BOF/IRTF
>>>>>>> Scheduling - REMINDER
>>>>>>>
>>>>>>> Folks can be unhappy with a whitelist all they want.  A
>>>>>>> blacklist isn't secure and we won't implement it.
>>>>>>>
>>>>>>> Adam
>>>>>>>
>>>>>>>
>>>>>>> On Sun, Sep 9, 2012 at 12:11 AM, Chris Weber
>>>>>>> <chris@lookout.net>  wrote:
>>>>>>>> Thanks for the message Martin and Larry.  I will not
>>>>>>>> be in Atlanta unfortunately,  I'm guessing Peter
>>>>>>>> will..? I'd be happy to schedule some design meeting
>>>>>>>> time for next week after the expiring drafts have been
>>>>>>>> re-submitted.
>>>>>>>>
>>>>>>>> As far as web+xxx, I'm still afraid that a user
>>>>>>>> fingerprinting and tracking risk exists - though I
>>>>>>>> didn't test the isProtocolHandlerRegistered() method
>>>>>>>> for exploitability because it didn't exist, I see
>>>>>>>> Safari has implemented it now and Chrome and Firefox
>>>>>>>> have some active bugs for tracking.
>>>>>>>>
>>>>>>>> Also, I notice that some developers are not happy with
>>>>>>>> the whitelist vs blacklist approach:
>>>>>>>> https://github.com/jquery/standards/issues/12
>>>>>>>>
>>>>>>>> -Chris
>>>>>>>>
>>>>>>>> On 9/8/2012 9:32 AM, Larry Masinter wrote:
>>>>>>>>> I'm planning to go to IETF Atlanta (direct from W3C
>>>>>>>>> TPAC in Lyon)
>>>>>>>>>
>>>>>>>>> I'd like to better coordinate the IETF and W3C specs
>>>>>>>>> on URLs, IRIs, etc. Doing so was my original
>>>>>>>>> motivation for revising these specs in the first
>>>>>>>>> place. I'd like to also see if we can make progress
>>>>>>>>> on "web+xxx" and (if it's still in W3C specs)
>>>>>>>>> "http+aes".
>>>>>>>>>
>>>>>>>>> I see Chris is doing testing. Making progress on open
>>>>>>>>> issues was stymied by lack of testing, so perhaps now
>>>>>>>>> that we have some testing capabilities we can make
>>>>>>>>> more rapid progress.
>>>>>>>>>
>>>>>>>>> Larry
>>
>> <snip/>
>>
>>
>
>
Received on Thursday, 13 September 2012 04:01:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 13 September 2012 04:01:07 GMT