W3C home > Mailing lists > Public > www-tag@w3.org > February 2010

Re: ACTION-278 Hiding metadata for security reasons

From: John Kemp <john@jkemp.net>
Date: Wed, 10 Feb 2010 20:26:02 -0500
Cc: Tyler Close <tyler.close@gmail.com>, Dan Connolly <connolly@w3.org>, Tim Berners-Lee <timbl@w3.org>, "ashok.malhotra@oracle.com" <ashok.malhotra@oracle.com>, Jonathan Rees <jar@creativecommons.org>, "www-tag@w3.org" <www-tag@w3.org>, "Mark S. Miller" <erights@google.com>
Message-Id: <FA449F35-F864-4B37-95D8-F16B79A85CCA@jkemp.net>
To: Larry Masinter <masinter@adobe.com>
On Feb 10, 2010, at 6:05 PM, Larry Masinter wrote:

>>  A user-agent
>> MUST NOT disclose representations or URIs, unless either explicitly
>> instructed to do so by the user or as legitimately directed to by
>> presented content. Since the user may wish to keep this information
>> confidential, the user-agent must not assume it can be revealed to
>> third-parties.
> 
> While I'm sympathetic to the intent, this leaves undefined
> the scope of "user agent" here, referent of "the user", 
> and the meanings of "disclose", "legitimately", "confidential",
> "assume" and "third-parties".  Does "user agent" apply to,
> say, archive.org (which might pick up a mailing list archive
> of an email and scan what is supposed to be a 'private'
> URL)? Does it apply to, say, news.google.com, which seems
> to aggregate news from newspapers that have a "news reader"
> registration and login requirements?
> 
> I don't think this is an effective path to pursue.

I agree with you that it is pointless to try to shut the barn door after the horse has escaped. 

> There are
> agents that use URIs, including browsers, crawlers, scanners, 
> aggregators, portals, bookmark sharing tools, translation
> gateways, Internet Archive services. These agents, for better
> or worse, have widely varying properties where information
> retrieved by them is distributed further, including using
> Referer, publishing access logs, peer sharing of cached 
> retrieved results, etc.  Many of those deployed web agents
> make the presumption that any material they access without
> going through any particular access control mechanism may
> be shared further without particular restriction, although
> in practice the distribution that happens is not widespread,
> there are no guarantees.

Indeed, so any entity exposing a resource should make sure (perhaps also authenticating the requestor) that a representation is sent only to those entities entitled to have it, and to share it. I wouldn't recommend that the originator of a secret URI, or a representation containing such data, share that data with crawlers, aggregators and the like - personally I would ask for a user authentication and authorization before I divulged a secret URI intended for that user.  

[...]

> 
> While "secret URLs" provide the appearance of adding some
> amount of confidentiality to the results, in fact, there
> are many circumstances where such URLs are disclosed,
> by agents that are not browsers

As mentioned above, I don't think that a representation containing confidential data of any kind should be shared with crawlers, aggregators and the like. 

However, a secret URI shared between the originator of that URI and an agent acting on behalf of an (authenticated) user, and unguessable, seems unlikely to be shared to anyone other than the user who was the intended recipient, the user-agent which this user is wielding, and the origin server which minted the URI and transmitted it securely, provided some security considerations are followed:

i) Transmit the secret via a confidential channel shared by exactly two parties (SSL/TLS will do nicely)
ii) Transmit the secret in a way such that it does not appear in the Referer header of a subsequent HTTP request
iii) Neither the origin server, not the user shares the secret URI with another party (ie. the secret URI has the same security considerations as what we commonly call a "password" or shared secret. 
iv) The secret URI contains an unguessable component, such as a large random number. 

Can you explain how, under the circumstances above, a secret URI will be disclosed other than by a sharing action by one of the two parties to the secret? 

> and whose update to follow
> recommendations in _this_ document is unlikely.

I agree that the proposed text above is not likely to have the intended effect.

> 
> A false sense of security is worse than no security,
> in many circumstances. 
> 
> If users wish to make material available to "anyone who
> has the URL", that's fine, but don't make any promises
> that this is a "security" mechanism, because it's not.
> 
> There is a kind of "security" I've heard called "yellow
> ribbon security", which functions like the "yellow ribbon"
> banner sometimes put up:
> 
> "POLICE LINE DO NOT CROSS".
> 
> Now, the yellow ribbon doesn't actually prevent anyone
> from crossing it, it just puts the crosser on notice
> that they are actually crossing a line someone (perhaps
> even the police) do not want them to cross.
> 
> It *might* be possible to make secret URLs into a 
> "yellow ribbon" security mechanism, if, for example,
> the "unguessable" part of the URL were clearly 
> unguessable. 

How are large random numbers not "clearly unguessable" (for some quite long period of time)?

How is this mechanism any _less_ secure than that where a separate password is asked for when a non-secret URI is accessed, provided the same security considerations as above for the establishment of the password (password is shared over SSL/TLS between exactly two parties, etc. etc.)? 
 
Regards,

- johnk
Received on Thursday, 11 February 2010 01:26:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:19 GMT