W3C home > Mailing lists > Public > www-tag@w3.org > February 2010

Re: ACTION-278 Hiding metadata for security reasons

From: Tyler Close <tyler.close@gmail.com>
Date: Mon, 8 Feb 2010 17:44:16 -0800
Message-ID: <5691356f1002081744s26d3dcfvf96386f93d147dd1@mail.gmail.com>
To: Dan Connolly <connolly@w3.org>
Cc: Jonathan Rees <jar@creativecommons.org>, www-tag@w3.org, "Mark S. Miller" <erights@google.com>
On Sat, Jan 23, 2010 at 1:12 PM, Dan Connolly <connolly@w3.org> wrote:
> On Sun, 2009-12-27 at 11:20 -0800, Tyler Close wrote:
>> I am happy to provide body text for these two new sections.
> I'd like to see that.

OK, here's a first draft of text for two new sections that motivate
two Good Practice statements:

Guessable, confidential metadata

Some kinds of identifiers are confidential, even though their value is
guessable given a sufficient number of attempts. For example, a bank
account number may be confidential even though a program could quickly
enumerate all possible bank account numbers. Including confidential,
but guessable, metadata in a URI can make it vulnerable to a guessing
attack. By repeatedly attempting to dereference possible URIs and
monitoring the response, or even just the time taken to respond, an
attacker could guess confidential metadata and have the server confirm
its correctness.

Good Practice: A URI assignment authority SHOULD NOT put guessable,
confidential metadata in a URI.

Private resources

Some resources are private and so only intended for use by a single
user or group of users, instead of being publicly accessible to
everyone. Though someone outside this authorized group may not be able
to directly access the private resource, it may still be possible to
indirectly access the resource if it is identified by a guessable URI.
After luring an authorized user to an attack page, there may be
several avenues of indirect access. In a CSRF attack, the attacker's
page includes a HTML <form> tag whose action attribute contains the
guessable URI for the private resource. This <form> may be
automatically submitted using JavaScript, or the user may be induced
to click the submit button. In a clickjacking attack, the attacker's
page might include an iframe that references the guessable URI for the
private resource. By placing the private resource in an unexpected
context, the user may be induced to interact with it in an undesired
way. Though the Same Origin Policy may prevent the attack page from
directly reading responses returned from a private resource, the
attack page may still be able to time such responses and so detect the
state of the resource. For example, if the private resource is an
email archive, the attack page may be able to determine the frequency
of certain keywords by measuring the time taken for a search operation
to complete.

When a private resource is identified by a guessable URI an attacker
can navigate an authorized user to it under a pretense of the
attacker's choosing. In this unexpected context, the attacker can
cause the user to interact with the private resource in an undesired
way. By measuring response times, the attacker may also learn
significant confidential information about the private resource. Using
unguessable URIs, instead of guessable ones, prevents these attacks.

Good Practice: A URI assignment authority SHOULD only identify private
resources with unguessable URIs.

An unguessable URI only defends against these attacks if it is kept
confidential. A resource host SHOULD take precautions to ensure the
URI is only revealed to authorized users. To protect the URI from
network eavesdroppers, a protocol that supports confidentiality, such
as HTTPS, SHOULD be used. If the URL might appear in an HTTP Referer
header, the unguessable portion SHOULD be in the fragment component.
In all other cases, the unguessable portion SHOULD be in the query
component. Some software[1] for monitoring URI usage automatically
strips the query component from a URI before revealing it to a
third-party. Placing the unguessable portion of the URI in the query
component facilitates interaction with such software. A user-agent
MUST NOT disclose representations or URIs, unless either explicitly
instructed to do so by the user or as legitimately directed to by
presented content. Since the user may wish to keep this information
confidential, the user-agent must not assume it can be revealed to

[1], such as IE, Alexa toolbar, Squid proxy, ...


"Waterken News: Capability security on the Web"
Received on Tuesday, 9 February 2010 01:44:49 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:33:05 UTC