W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2009

Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

From: Ben Laurie <benl@google.com>
Date: Tue, 24 Feb 2009 09:54:34 +0000
Message-ID: <1b587cab0902240154i49965bdcy2366c43de22aef52@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Mark Nottingham <mnot@mnot.net>, Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
On Mon, Feb 23, 2009 at 5:32 PM, Adam Barth <w3c@adambarth.com> wrote:
> On Mon, Feb 23, 2009 at 5:38 AM, Ben Laurie <benl@google.com> wrote:
>> I don't see why - if www.us.example.com chooses to delegate to
>> www.hq.example.com, that that is its affair, not ours, surely?
>
> Following redirects is insecure for sites that let users configure redirects.
>
> Every time you trade away security like this, you make it more likely
> that host-meta will be unusable for secure metadata.  If host-meta is
> unsuitable for secure metadata, folks that require security will just
> work around host-meta by creating a "secure-meta."  I can't tell you
> which of the security compromises will cause this to happen.  Security
> is often a "death of a thousand paper cuts" that eventually add up to
> you being owned.

I thought signing was supposed to deal with the issues around redirects?
Received on Tuesday, 24 February 2009 09:55:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:30 GMT