W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 23 Feb 2009 11:46:25 -0800
Message-ID: <7789133a0902231146yc4585bbh650c5d2690549aa9@mail.gmail.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>
Cc: Breno de Medeiros <breno@google.com>, Ben Laurie <benl@google.com>, Mark Nottingham <mnot@mnot.net>, "www-talk@w3.org" <www-talk@w3.org>
On Mon, Feb 23, 2009 at 10:26 AM, Eran Hammer-Lahav <eran@hueniverse.com> wrote:
> It is pretty irresponsible to talk about 'security' as if there is a well established standard
> applicable for the web as a whole.

These security issues are real in the sense that there are actual
servers in the world which will or will not be hackable based on the
decisions we make.

> HTTP, as in RFC 2616, isn't secure at all. Even 2617 doesn't make things significantly
> better. Your entire approach is based on a very narrow viewpoint, biased by worries about
> known exploits specific to browsers.

I disagree.  I can use redirects to own tinyurl.com's host-meta store
regardless of the existence of any Web browsers.

> None of my use cases for host-meta even remotely care about browsers. Are you
> suggesting we revise HTTP to make it secure?

I'm suggesting that the world is full of legacy servers.  If we fail
to consider how these legacy servers interact with new proposals, we
will introduce new vulnerabilities into those servers.

> /host-meta offers a simple mechanism to register metadata links. If you have specific
> application security needs, you need to address them at the appropriate level, that is,
> the application. If more than one application has the same needs, they can come
> together and propose a security extension of the /host-meta spec. Not supporting redirects
> is one such idea (though I find it utterly useless for security).

I think its more likely that folks that require security will ignore
host-meta an invent their own metadata store.

> But just for fun, how is a redirect any less secure than changing the content of the
> /host-meta document at its original URI?

I don't have the ability to change the host-meta document at
tinyurl.com.  I do have the ability to add a redirect from /host-meta
to a URL I control.  Prior to host-meta, this is not a vulnerability
in tinyurl.

> Either you know the host-meta file you found is what the host-owner intended or you
> don't. HTTP (which is really the only tool we are using here) doesn't offer you any such
> assurances.

Reality is not as binary as you imply.  There are a spectrum of threat
models corresponding to different attacker abilities.  Following
redirects lets weaker attackers compromise host-meta, adding yet
another paper cut to the insecurity of host-meta.

Adam
Received on Monday, 23 February 2009 19:47:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT