Re: XRI 2.0 Review by the W3C TAG - security concern? from Graham Klyne on 2005-05-05 (www-tag@w3.org from May 2005)

From: Graham Klyne <GK@ninebynine.org>
Date: Thu, 05 May 2005 18:58:51 +0100
To: www-tag@w3.org
Message-Id: <5.1.0.14.2.20050505184801.01e76610@127.0.0.1>
At 10:52 29/04/05 +0200, Vincent Quint wrote:


>Summary: The TAG has reviewed the XRI 2.0 documents and requirements
>surrounding the use of XRI.  At this time, it is the opinion of the
>TAG that the case has not been made for a new URI scheme, rather that
>the requirements can be addressed very well using the http URI scheme
>and existing implementations of HTTP and DNS.

 From various messages I've read, it seems that TAG's response makes some 
use of HTTP redirects to achieve the desired effects of XRI;  e.g. parts 
5-6 of:

[4] http://lists.w3.org/Archives/Public/www-tag/2005Apr/0088.html

Quite separately, I today came across a posting on ACM RISKS forum 23.73 
that points out a security concern... "The RISK is obvious: allowing 
untrusted URL redirects in this case will fool many more people".  The full 
message is below.  I don't know if this is causes a problem for the 
proposed approach, but it seems to be an issue worth considering.

[[
Date: Tue, 15 Feb 2005 09:08:18 -0600 (CST)
From: Pete Krawczyk <risks@bsod.net>
Subject: eBay redirects to phishers from their own site

eBay fraudsters have a new trick up their sleeve: using eBay's servers to
link to a fraudulent web site.

In the past, it was easy to pass a URL through a decoder and find that the
actual server hosted behind a URL was not owned by eBay, since phishers
would use @, %40, or other domain misdirection tactics.  However, I recently
received an eBay fraud mail that contained the following URL, which has been
edited to point to Google:

http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=http://www.google.com/

As you can see, that URL will access cgi4.ebay.com, and eBay will gladly
hand the browser over to Google for further action.  That URL can be
trivially changed to any web site.

The RISK is obvious: allowing untrusted URL redirects in this case will fool
many more people who may now believe that eBay is truly asking for account
details, and may lead to further identity theft.

I contacted eBay, and got nothing but canned responses.  I did try the live
chat, and after the rep confirmed that I had not given out my account
information, he said they would investigate.  That was on Saturday.
]]
-- http://catless.ncl.ac.uk/Risks/23.73.html#subj7

#g
--


>OASIS Team,
>
>The TAG has reviewed the XRI 2.0 documents [1] and while we do
>understand the case for an abstraction layer, we also believe that
>this can be provided with the http scheme and existing HTTP and DNS
>protocols.
>
>The recommendations that we have documented in Architecture of the World
>Wide Web, Volume One state that "A specification SHOULD reuse an
>existing URI scheme (rather than create a new one) when it provides
>the desired properties of identifiers and their relation to
>resources." [2] In this case, a properly managed and supported use of
>the existing http scheme, based on the excellent analysis in your
>documents, does have the desired properties and can provide the same
>functionality without the loss of interoperability which would
>accompany a new scheme.
>
>An abstraction layer which uses current technologies could be deployed
>much more quickly, as creating a new URI scheme would require the
>whole web to implement these technologies before they would achieve
>widespread adoption.
>
>Some background to the above response, as well as an indication of
>what would be involved in taking most of the work done on XRIs forward
>without a new URI scheme, can be found in several recent messages to
>the www-tag mailing list [3] [4].
>
>Respectfully,
>W3C TAG
>
>[1] http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xri
>[2] http://www.w3.org/TR/2004/REC-webarch-20041215/#URI-scheme
>[3] http://lists.w3.org/Archives/Public/www-tag/2005Apr/0076.html
>[4] http://lists.w3.org/Archives/Public/www-tag/2005Apr/0088.html
>
>--------------------------------------
>Vincent Quint                       INRIA Rhône-Alpes
>INRIA                               ZIRST
>e-mail: Vincent.Quint@inria.fr      655 avenue de l'Europe
>Tel.: +33 4 76 61 53 62             Montbonnot
>Fax:  +33 4 76 61 52 07             38334 Saint Ismier Cedex
>                                     France

------------
Graham Klyne
For email:
http://www.ninebynine.org/#Contact
Received on Friday, 6 May 2005 08:06:52 UTC