RE: Possible issue w/ @profile and http vs. https from John O'Donovan on 2010-11-03 (public-rdfa-wg@w3.org from November 2010)

From: John O'Donovan <john.odonovan@bbc.co.uk>
Date: Wed, 3 Nov 2010 20:53:42 -0000
To: "Manu Sporny" <msporny@digitalbazaar.com>, "RDFa WG" <public-rdfa-wg@w3.org>
Message-ID: <B7CBDA2818C47441A2BCE02C811EA009038FDA4E@bbcxues16.national.core.bbc.co.uk>

Isn't it generally a more prominent warning in a pop up box, such as
illustrated here:

http://www.sslshopper.com/article-stop-the-page-contains-secure-and-nons
ecure-items-warning.html 

                                           
John O'Donovan
Chief Technical Architect

BBC News and Knowledge, Future Media & Technology 
BC3 C1, Broadcast Centre, 201 Wood Lane, London

http://www.bbc.co.uk/news/
http://www.bbc.co.uk/sport/
http://www.bbc.co.uk/weather/
http://www.bbc.co.uk/


-----Original Message-----
From: public-rdfa-wg-request@w3.org
[mailto:public-rdfa-wg-request@w3.org] On Behalf Of Manu Sporny
Sent: 03 November 2010 20:37
To: RDFa WG
Subject: Possible issue w/ @profile and http vs. https

Just noting this here as it popped into my head while dealing with some
SSL-related browser issues.

When a web page and its associated resources are loaded over TLS, the
browser will provide a graphical warning (usually in the URL bar website
icon) if there are some resources that were loaded over a non-TLS
connection into the page. This is usually triggered whenever there are
images, or CSS files that were loaded over an HTTP vs. and HTTPS
connection. The browsers do this because an image or CSS file might
trick the person browsing into doing something that is unsafe.

@profile falls into this category, if a @profile is compromised, it may
generate the wrong triples in a page. If one is operating on RDF triples
via the RDFa API on a page that was loaded via HTTPS, and the @profile
was loaded via HTTP, there is a possible security vulnerability there.

I can't think of an attack that could do a serious amount of damage at
this point, as the RDFa API does not exist and RDF page data is probably
not used to drive logic at this point in time.

Just throwing this out there as I do think that we would want to ensure
that the browsers that implement RDFa Core "fail to load a profile" when
a profile is loaded from an HTTPS page in non-HTTPS mode. It's really
implementation guidance, but perhaps something that should be placed
into the RDFa API spec or the RDFa Core spec?

Thoughts?

-- manu

--
Manu Sporny (skype: msporny, twitter: manusporny) President/CEO -
Digital Bazaar, Inc.
blog: Making Payments Frictionless, Saving Journalism
http://digitalbazaar.com/2010/09/12/payswarm-api/


http://www.bbc.co.uk/
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

Received on Wednesday, 3 November 2010 20:54:17 UTC