- From: Jean-Claude Dufourd <jean-claude.dufourd@telecom-paristech.fr>
- Date: Mon, 07 Oct 2013 19:10:55 +0200
- To: Device APIs Working Group <public-device-apis@w3.org>
- Message-ID: <5252EB1F.7030500@telecom-paristech.fr>
Dear all, Re-reading the security issues brought to this list by Youenn, I wonder if we should drastically tighten up the security of the NSD API. Can we not just _remove_ the fields url and config from the NetworkService interface ? This way, the discovering web app would have no direct route to the discovered services: it would have only a handle that is useless for fingerprinting or hacking. One additional field would be a blob for the service description, if any. Then, to allow communication between the discovering web app and the discovered service, the NSD implementation would offer an _indirect_ communication channel(s). One possibility for the indirect communication channel could be Ajax-like, another could be WebSocket-like, another could be using UPnP messaging (HTTP+SOAP...) What I mean is the API offered by NSD would replace, in the original API, any URL or IP with the handle, and if necessary remove any address from returned information. I have already implemented the last (UPnP-style messaging), have created various examples and never needed to provide to the web apps any direct link to the services. It would be quite a powerful argument against NSD detractors that the url or IP of the service is never shared with the web app, and that all communication passes through/can be checked by the NSD implementation. Best regards JC -- Télécom ParisTech <http://www.telecom-paristech.fr> *Jean-Claude DUFOURD <http://jcdufourd.wp.mines-telecom.fr>* Directeur d'études Tél. : +33 1 45 81 77 33 37-39 rue Dareau 75014 Paris, France Site web <http://www.telecom-paristech.fr>Twitter <https://twitter.com/TelecomPTech>Facebook <https://www.facebook.com/TelecomParisTech>Google+ <https://plus.google.com/111525064771175271294>Blog <http://jcdufourd.wp.mines-telecom.fr>
Received on Monday, 7 October 2013 17:11:31 UTC