W3C home > Mailing lists > Public > www-tag@w3.org > February 2010

Re: ACTION-278 Hiding metadata for security reasons

From: Dan Connolly <connolly@w3.org>
Date: Thu, 11 Feb 2010 13:56:28 -0600
To: ashok.malhotra@oracle.com
Cc: Larry Masinter <masinter@adobe.com>, Tyler Close <tyler.close@gmail.com>, Tim Berners-Lee <timbl@w3.org>, John Kemp <john@jkemp.net>, Jonathan Rees <jar@creativecommons.org>, "www-tag@w3.org" <www-tag@w3.org>, "Mark S. Miller" <erights@google.com>
Message-ID: <1265918188.3812.1203.camel@pav.lan>
On Wed, 2010-02-10 at 16:50 -0800, ashok malhotra wrote:
> Larry said ...
> 
> "It *might* be possible to make secret URLs into a "yellow ribbon" 
> security mechanism, if, for example,
> the "unguessable" part of the URL were clearly unguessable.  (Random 
> jumble of letters rather than,
> say, random quotes from literature, which might not
> look random.)"
> 
> I agree with this.  DanC says that secret URLs can be made as
> secure as password protection or more.  I don't understand how.
> Perhaps DanC could elaborate.

I said passwords+cookies (which is the way passwords are almost
universally deployed in the web; nobody asks for your password
for _every_ HTTP request, and almost nobody uses MD5-auth or
any of the alternatives.)

Passwords+cookies don't protect against CSRF; unguessable URIs do.

"The attacker must determine the right values for all the form's or
URL's inputs: if any of them are required to be secret authentication
values or IDs that the attacker can't guess, the attack will fail."
 -- http://en.wikipedia.org/wiki/Cross-site_request_forgery




-- 
Dan Connolly, W3C http://www.w3.org/People/Connolly/
gpg D3C2 887B 0F92 6005 C541  0875 0F91 96DE 6E52 C29E
Received on Thursday, 11 February 2010 19:56:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:19 GMT