W3C home > Mailing lists > Public > public-linked-json@w3.org > May 2013

Re: Google adds JSON-LD support to Gmail

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Wed, 22 May 2013 22:13:50 -0400
Message-ID: <519D7B5E.2000805@digitalbazaar.com>
To: Melvin Carvalho <melvincarvalho@gmail.com>, Linked JSON <public-linked-json@w3.org>
CC: Markus Lanthaler <markus.lanthaler@gmx.net>, Dan Brickley <danbri@danbri.org>
bcc: RDF WG

On 05/22/2013 05:35 PM, Melvin Carvalho wrote:
>> 2. We'd also like to start a conversation about allowing the 
>> simpler, shorter form by defaulting to http:// if not present.
> 
> We could certainly do that but that would mean that we would lose
> the ability to use relative URLs to reference contexts which I think
> is very handy for a large number of use cases.
> 
> It may be slightly better to standardize in https, rather than http,
>  since schema.org <http://schema.org> is used for ecommerce too.  I 
> dont think there's currently any known attack vector based on MITM
> of a vocab, but one may emerge in future.

There absolutely is a known MITM attack vector when using a vocab served
over HTTP for commerce. :)

If schema.org defines the concept of a 'source' and 'destination' for
a financial transaction an attacker could poison a downstream DNS such
that the retrieved vocab document switches source and destination, thus
giving attackers the ability to suck funds out of your financial accounts.

This is one of the reasons that the PaySwarm vocabs are served from
https://w3id.org/ and the reason that we serve those vocabs using the
HTTP Strict Transport Security (HSTS) HTTP headers.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Meritora - Web payments commercial launch
http://blog.meritora.com/launch/
Received on Thursday, 23 May 2013 02:14:25 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:53:22 UTC