Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01) from Breno de Medeiros on 2009-02-12 (www-talk@w3.org from January to February 2009)

From: Breno de Medeiros <breno@google.com>
Date: Thu, 12 Feb 2009 11:38:10 -0800
To: Adam Barth <w3c@adambarth.com>
Cc: Mark Nottingham <mnot@mnot.net>, Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
Message-ID: <29fb00360902121138w1966ab09x4286b87842efbcf1@mail.gmail.com>

Adam, did you try to create myspace.com/favicon.ico ?

You may not consider that a threat by companies do. If they were caught
distributing illegal images to every browser that navigates to the root of
their domain, they might be liable to crippling prosecution.

This is a common problem with all well-known-locations. That is why
host-meta was written in a generic format so that it can be the _last_
well-known-location. WKLs are evil, but also necessary.


On Thu, Feb 12, 2009 at 10:10 AM, Adam Barth <w3c@adambarth.com> wrote:

> On Thu, Feb 12, 2009 at 3:13 AM, Mark Nottingham <mnot@mnot.net> wrote:
> > My inclination, then, would be to note DNS rebinding as a risk in
> Security
> > Considerations that prudent clients can protect themselves against, if
> > necessary.
>
> That sounds reasonable.
>
> On Thu, Feb 12, 2009 at 3:22 AM, Mark Nottingham <mnot@mnot.net> wrote:
> > From that document;
> >>
> >> Valid content-type values are:
> >>
> >>        • text/* (any text type)
> >>        • application/xml
> >>        • application/xhtml+xml
> >
> > That's hardly "an explicit Content-Type"; it would be the default for a
> file
> > with that name on the majority of servers on the planet; the only thing
> it's
> > likely to affect is application/octet-stream, for those servers that
> don't
> > have a clue about what XML is.
>
> Interesting.  I wonder how they came up with this list.  The "text/*"
> value is particularly unsettling.  /me should go hack them.
>
> By the way, Breno asked for examples of sites were users can control
> content at arbitrary paths.  Two extremely popular ones are MySpace
> and Twitter.  For example, I signed up for a MySpace account at
> http://www.myspace.com/hostmeta and I could do the same for Twitter.
> As it happens, these two services don't let you pick URLs with a "-"
> character in them, but I wouldn't hang my hat on that for security.
>
> > Adam, my experience with security work is that there always needs to be a
> > trade-off with usability (both implementer and end-user). While DNS
> > rebinding is a concerning attack for *some* use cases, it doesn't affect
> all
> > uses of this proposal; making such a requirement would needlessly burden
> > implementers (as you point out). It's a bad trade-off.
>
> I agree.  Certainly not every use case will care about DNS Rebinding.
> Unfortunately, it will bite some application of host-meta at some
> point.
>
> Adam
>



-- 
--Breno

+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)

Received on Thursday, 12 February 2009 19:38:49 UTC