W3C home > Mailing lists > Public > public-ietf-w3c@w3.org > September 2012

Re: web+ and registerProtocolHandler

From: Chris Weber <chris@lookout.net>
Date: Wed, 12 Sep 2012 12:04:43 -0700
Message-ID: <5050DCCB.6010605@lookout.net>
To: Adam Barth <w3c@adambarth.com>
CC: Peter Saint-Andre <stpeter@stpeter.im>, Larry Masinter <masinter@adobe.com>, "michel@suignard.com" <michel@suignard.com>, "tony@att.com" <tony@att.com>, "plh@w3.org" <plh@w3.org>, "adil@diwan.com" <adil@diwan.com>, "robin@berjon.com" <robin@berjon.com>, "ted.ietf@gmail.com" <ted.ietf@gmail.com>, John O'Conner <jooconne@adobe.com>, "presnick@qualcomm.com" <presnick@qualcomm.com>, "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, "public-ietf-w3c@w3.org" <public-ietf-w3c@w3.org>
It might be helpful to see some end-to-end use case scenarios for
web+.  I can see the rather obvious ones, but have they been
documented or discussed in more detail anywhere?

Regarding registerProtocolHandler in general, how was the whitelist of
allowed schemes determined?  Why is 'ssh' in the list?

The crux of security defense with registerProtocolHandler comes down
to yet another modal dialog presented to the end user, a troubling
scenario given the enumerated list of threats in the spec:

Hijacking all Web usage
Hijacking defaults
Registration spamming
Misleading titles
Hostile handler metadata
Leaking Intranet URLs
Leaking secure URLs
Leaking credentials

Best regards,

On 9/12/2012 9:52 AM, Adam Barth wrote:
> I should be clear that I'm not advocating "web+" as a good idea. 
> I'm just explaining the security consequences of the various 
> options.
> Adam
> On Wed, Sep 12, 2012 at 7:47 AM, Peter Saint-Andre 
> <stpeter@stpeter.im> wrote: In the context of whitelisting vs. 
> blacklisting, the concern I have with the prefixing idea is that
> it implicitly whitelists any URI scheme that starts with the
> string "web+", yet the proponents of this idea have not specified
> any criteria for review of such prefixed URI schemes (or even
> answered the questions raised here and elsewhere about whether
> additional review is needed for such schemes by the designated
> experts or the IANA).
> I agree that blacklisting doesn't scale and isn't secure. I 
> disagree that implicit whitelisting is the answer.
> Peter
> On 9/10/12 9:56 AM, Adam Barth wrote:
>>>> It's just a practical issue.  Many folks have URI schemes 
>>>> registered on their computers that are not safe for web
>>>> sites to hijack (i.e., register).  It's not practical to
>>>> create an blacklist that effectively mitigates that risk.  As
>>>> it happens, we not aware of any folks who have such 
>>>> registrations for URI schemes that begin with "web+".
>>>> Adam
>>>> On Mon, Sep 10, 2012 at 1:01 AM, Larry Masinter 
>>>> <masinter@adobe.com> wrote:
>>>>> since this affects ietf and w3c, and public-ietf-w3c is 
>>>>> publicly archived, could someone explain why allowing 
>>>>> registering arbitrary web+xxx scheme handlers is any
>>>>> better than allowing arbitrary (unblacklisted) xxx scheme 
>>>>> handlers?
>>>>> -----Original message-----
>>>>> From: Adam Barth <w3c@adambarth.com> To: Larry Masinter 
>>>>> <masinter@adobe.com> Cc: "michel@suignard.com" 
>>>>> <michel@suignard.com>, Tony Hansen <tony@att.com>,
>>>>> Philippe Le Hegaret <plh@w3.org>, Peter Saint-Andre 
>>>>> <stpeter@stpeter.im>, Adil Allawi <adil@diwan.com>, Robin 
>>>>> Berjon <robin@berjon.com>, Ted Hardie
>>>>> <ted.ietf@gmail.com>, John O'Conner <jooconne@adobe.com>,
>>>>> Pete Resnick <presnick@qualcomm.com>, "Martin J. Dürst" 
>>>>> <duerst@it.aoyama.ac.jp>, Chris Weber <chris@lookout.net> 
>>>>> Sent: Sun, Sep 9, 2012 19:09:22 GMT+00:00 Subject: RE:
>>>>> 85th IETF - Working Group/BOF/IRTF Scheduling - REMINDER
>>>>> We should discuss further on a publicly archived mailing 
>>>>> list.
>>>>> Adam
>>>>> On Sep 9, 2012 12:00 PM, "Larry Masinter" 
>>>>> <masinter@adobe.com> wrote:
>>>>>> Why doesn't "web+"  introduce all the same problems a 
>>>>>> blacklist approach (where everything is allowed unless 
>>>>>> explicitly disallowed) introduces? That's kind of what 
>>>>>> Chris' tests are showing.
>>>>>> And what's the point, anyway, of a precise specification 
>>>>>> but leaving out the necessary steps to implement the spec
>>>>>> securely?
>>>>>> -----Original Message----- From: Adam Barth 
>>>>>> [mailto:w3c@adambarth.com] Sent: Sunday, September 09, 
>>>>>> 2012 10:20 AM To: Chris Weber Cc: Larry Masinter;
>>>>>> "Martin J. Dürst"; Peter Saint-Andre; Philippe Le
>>>>>> Hegaret; John O'Conner; Tony Hansen; Ted Hardie;
>>>>>> michel@suignard.com; Adil Allawi; Pete Resnick; Robin
>>>>>> Berjon Subject: Re: 85th IETF - Working Group/BOF/IRTF
>>>>>> Scheduling - REMINDER
>>>>>> Folks can be unhappy with a whitelist all they want.  A 
>>>>>> blacklist isn't secure and we won't implement it.
>>>>>> Adam
>>>>>> On Sun, Sep 9, 2012 at 12:11 AM, Chris Weber 
>>>>>> <chris@lookout.net> wrote:
>>>>>>> Thanks for the message Martin and Larry.  I will not
>>>>>>> be in Atlanta unfortunately,  I'm guessing Peter
>>>>>>> will..? I'd be happy to schedule some design meeting
>>>>>>> time for next week after the expiring drafts have been 
>>>>>>> re-submitted.
>>>>>>> As far as web+xxx, I'm still afraid that a user 
>>>>>>> fingerprinting and tracking risk exists - though I 
>>>>>>> didn't test the isProtocolHandlerRegistered() method 
>>>>>>> for exploitability because it didn't exist, I see 
>>>>>>> Safari has implemented it now and Chrome and Firefox 
>>>>>>> have some active bugs for tracking.
>>>>>>> Also, I notice that some developers are not happy with 
>>>>>>> the whitelist vs blacklist approach: 
>>>>>>> https://github.com/jquery/standards/issues/12
>>>>>>> -Chris
>>>>>>> On 9/8/2012 9:32 AM, Larry Masinter wrote:
>>>>>>>> I'm planning to go to IETF Atlanta (direct from W3C 
>>>>>>>> TPAC in Lyon)
>>>>>>>> I'd like to better coordinate the IETF and W3C specs 
>>>>>>>> on URLs, IRIs, etc. Doing so was my original 
>>>>>>>> motivation for revising these specs in the first 
>>>>>>>> place. I'd like to also see if we can make progress 
>>>>>>>> on "web+xxx" and (if it's still in W3C specs) 
>>>>>>>> "http+aes".
>>>>>>>> I see Chris is doing testing. Making progress on open
>>>>>>>> issues was stymied by lack of testing, so perhaps now
>>>>>>>> that we have some testing capabilities we can make
>>>>>>>> more rapid progress.
>>>>>>>> Larry
> <snip/>
Received on Wednesday, 12 September 2012 19:04:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:10:07 UTC