Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01) from Mark Nottingham on 2009-02-23 (www-talk@w3.org from January to February 2009)

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 24 Feb 2009 09:07:27 +1100
To: Adam Barth <w3c@adambarth.com>
Cc: Breno de Medeiros <breno@google.com>, Ben Laurie <benl@google.com>, Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
Message-Id: <5B161A5E-DEF2-41FE-8B5A-EADC512C82C4@mnot.net>

Adam,

To me, what's interesting here is that the problems you're  
illustrating have never been an issue AFAIK with robots.txt, and they  
didn't even come up as a concern during the discussions of P3P. I  
wasn't there for sitemaps, but AFAICT they've been deployed without  
the risk of unauthorised control of URIs being mentioned.

I think the reason for this is that once the mechanism gets  
deployment, site operators are aware of the import of allowing control  
of this URL, and take steps to assure that it isn't allowed if it's  
going to cause a problem. They haven't done that yet in this case (and  
thus you were able to get /host-meta) because this isn't deployed --  
or even useful -- yet.

I would agree that this is not a perfectly secure solution, but I do  
think it's good enough.

Of course, a mention in security considerations is worthwhile.

Cheers,

On 24/02/2009, at 8:21 AM, Adam Barth wrote:

> On Mon, Feb 23, 2009 at 1:04 PM, Breno de Medeiros  
> <breno@google.com> wrote:
>> No, it does not. It does introduce vulnerabilities to clients that  
>> visit
>> tinyurl.com with the expectation that they will interpret some  
>> metadata at
>> tinyurl.com to achieve specific aims.
>
> You're right: someone has to use host-meta for something for this
> attack to work.
>
>> Simply substituting tinyurl.com's
>> host-meta affects no one until tinyurl.com starts exposing some  
>> type of
>> service or application that client apps might want to configure/ 
>> discover
>> using host-meta.
>
> By owning their host-meta, I can opt them into whatever services use
> host-meta for discovery.
>
> Are you really saying that you don't care that I own their host-meta  
> file?
>
>> As for your example of default charsets, where you are using a  
>> browser to
>> define a generic interpretation of how to use host-meta to discover  
>> default
>> charsets, it sounds like such API would need to be designed as:
>>
>> getHostMetaValue(URL resource_url, String host_meta_key, boolean
>> isAllowedToFollowRedirects)
>>
>> which hardly sounds to me like a burden.
>
> Don't forget mime types!
>
> String getHostMetaValue(URL resource_url, String host_meta_key,
> Boolean is_allowed_to_follow_redirects, Boolean
> require_strict_mime_type_processing)
>
> What about paper cut #37?
>
> String getHostMetaValue(URL resource_url, String host_meta_key,
> Boolean is_allowed_to_follow_redirects, Boolean
> require_strict_mime_type_processing, Boolean opt_out_of_paper_cut_37)
>
> That's the path to madness.
>
> Adam

--
Mark Nottingham     http://www.mnot.net/

Received on Monday, 23 February 2009 22:08:08 UTC