W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: Limiting requests from the internet to the intranet.

From: Erik Nygren <erik+w3@nygren.org>
Date: Fri, 8 Jan 2016 16:30:20 -0500
Message-ID: <CAKC-DJgd7yAUHMyrOp238+AB5e9Y3yRzm9YP+Ya+vM6H52qWyg@mail.gmail.com>
To: Richard Barnes <rbarnes@mozilla.com>
Cc: Mike West <mkwst@google.com>, "Nottingham, Mark" <mnotting@akamai.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>, Brad Hill <hillbrad@gmail.com>, Dan Veditz <dveditz@mozilla.com>, Brian Smith <brian@briansmith.org>, Ryan Sleevi <sleevi@google.com>, Justin Schuh <jschuh@google.com>, Devdatta Akhawe <dev@dropbox.com>, Anne van Kesteren <annevk@annevk.nl>, Chris Palmer <palmer@google.com>, "lee@asgard.org" <lee@asgard.org>
On Fri, Jan 8, 2016 at 1:14 PM, Richard Barnes <rbarnes@mozilla.com> wrote:

>
>
>
>> I think Richard is on a pretty good path -- expose the primitives that we
>>> have reasonably easy access to, and figure out reasonable default
>>> behaviours for each.
>>>
>>
> I still don't follow Richard's proposal. What do you think he's
> suggesting? :)
>
> I would also be interested to know what Erik thought I was suggesting, but
> let me try to explain what I meant:
>
> - Spec defines a few categories of address space / source ("global",
> "private", "loopback", "link-local", "dot-local")
> - A CORS header like Access-Control-Allow-Network can allow access from
> any of these tokens
>
> I'm not sure I really think this is the best idea, but in any case, wanted
> to be clearer.
>

Something very much like this but thinking through the "private" case a
little bit more.  For example, allowing SoHo routers or network/server
administrators to define address space realms.  For example, SoHo routers
could include extensions to what is defined as "private" or configure an
additional "behind-the-firewall" to include the local network space behind
the firewall, regardless of what address block(s) were included.


Another somewhat related idea we've discussed some in this space is whether
HTTPS with in-URL certificate fingerprints could help with many of these
cases.  For example, if the admin interface to a home router generated its
own key pair and on connections redirected you to (the unfortunately ugly):

    https://cert=rsa:07801f1b0d01...e786c2dac60bcb5a@192.168.1.1/

then that provides a vaguely reasonable TOFU interface for accessing local
resources over HTTPS without needing to tie into a global CA hierarchy that
doesn't make as much sense in a local/SoHo environment.  This potentially
makes drive-by CSRF attacks harder (well, until we provide a javascript API
to get the cert fingerprints).

        Erik




     Erik
Received on Friday, 8 January 2016 21:30:49 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC