W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 23 Feb 2009 09:32:32 -0800
Message-ID: <7789133a0902230932t5697f5r9c35d1982c8f9ba9@mail.gmail.com>
To: Ben Laurie <benl@google.com>
Cc: Mark Nottingham <mnot@mnot.net>, Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
On Mon, Feb 23, 2009 at 5:38 AM, Ben Laurie <benl@google.com> wrote:
> I don't see why - if www.us.example.com chooses to delegate to
> www.hq.example.com, that that is its affair, not ours, surely?

Following redirects is insecure for sites that let users configure redirects.

Every time you trade away security like this, you make it more likely
that host-meta will be unusable for secure metadata.  If host-meta is
unsuitable for secure metadata, folks that require security will just
work around host-meta by creating a "secure-meta."  I can't tell you
which of the security compromises will cause this to happen.  Security
is often a "death of a thousand paper cuts" that eventually add up to
you being owned.

Adam
Received on Monday, 23 February 2009 17:34:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT