W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 23 Feb 2009 12:16:45 -0800
Message-ID: <7789133a0902231216p750cb563s587f941ab692e7df@mail.gmail.com>
To: Breno de Medeiros <breno@google.com>
Cc: Ben Laurie <benl@google.com>, Mark Nottingham <mnot@mnot.net>, Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
On Mon, Feb 23, 2009 at 11:47 AM, Breno de Medeiros <breno@google.com> wrote:
> Or they may have to do it because host-meta does not allow redirects and
> they need it. I wonder what is more likely.

One solution is to add content to a host-meta file that says where to
find the host-meta file:

My-Host-Meta-Is-Located-At: http://www.example.com/my-favorite-host-meta

This has the advantage of not introducing vulnerabilities into existing servers.

> Because tinyurl.com allows you to do this.

Yes.  Precisely.  Following redirects introduces a vulnerability into
tinyurl.com.  That is why I recommend not following redirects.

I don't know how to make a more compelling case for security than
supplying a working proof-of-concept exploit that required all of five
seconds to create on one of the world's most popular sites.

> I am more imaginative: I could do DNS spoofing,

DNS spoofing requires a lot more work (i.e., a more powerful attacker)
than abusing redirects.

> or I could choose another
> site to hack that is actually more interesting that tinyurl.

So we shouldn't care about introducing vulnerabilities into tinyurl
because we don't think they are important enough?

Adam
Received on Monday, 23 February 2009 20:17:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT