Re: [Uri-review] ssh URI from David Booth on 2009-10-14 (uri@w3.org from October 2009)

From: David Booth <david@dbooth.org>
Date: Wed, 14 Oct 2009 00:20:26 -0400
To: Eliot Lear <lear@cisco.com>
Cc: bob@sporkmonger.com, uri-review@ietf.org, uri@w3.org
Message-Id: <1255494026.25337.3062.camel@dbooth-laptop>

On Tue, 2009-10-13 at 08:10 +0200, Eliot Lear wrote:
> On 10/13/09 6:02 AM, David Booth wrote:
> > Getting a scheme registered is the *easy* part.  The hard part is
> > getting millions of installed clients to implement the special
> > recognition of that scheme.
> >    
> 
> I agree, and I think what you're proposing is interesting along those 
> lines.  I also appreciate your answers to my earlier questions.  Right 
> now we have no guidance or analysis that goes into the associated risks 
> of what you are proposing.  A few examples of things that can and will 
> go wrong with non-participants:
> 
> 1.  A query goes out to a third party, and the site is down or 
> unreachable.  In this case, the non-participant will hang in an 
> unspecified way rather than get a hard error.

Correct.

> 2.  A query goes out and the third party has been compromised.  And in 
> this case, the third party is a really attractive target because one can 
> map administrative resources with SSH.  Worse, the client acts on the 
> meta-information in some way, leading to additional compromises.  You're 
> already using redirects.  So what can a bad guy redirect to in order to 
> make things interesting?  Well, he's got a Browser: header.  Perhaps he 
> redirects to an appropriate exploit.

Yes, this is a risk.  But it is a similar risk as for any site that
provides downloadable software.  Ultimately, when offered information
(or software) the user must decide whether to trust it.   But this
doesn't mean that there isn't benefit to offering such information (or
software).  We mustn't throw the baby out with the bath.

> 
> Now to be fair to you, I haven't done the analysis to say, "this is 
> ABSOLUTELY a problem", but nor have I seen an analysis from you that 
> leads me to conclude that this is not a problem.

Likewise, I have not done the analysis to say "this is absolutely NOT a
problem".  But I do think the potential benefits are enough to warrant
more thought.

> 
-- 
David Booth, Ph.D.
Cleveland Clinic (contractor)

Opinions expressed herein are those of the author and do not necessarily
reflect those of Cleveland Clinic.

Received on Wednesday, 14 October 2009 04:20:55 UTC