- From: Ian Hickson <ian@hixie.ch>
- Date: Sat, 3 Nov 2007 09:31:03 +0000 (UTC)
On Wed, 25 Jan 2006, Mike Hoye wrote:
>
> Hi, all. I hope this hasn't been proposed before, but if it is my
> googlage is failing me. My proposal is for the addition of a "validate"
> attribute to the the <a> element that would let the client verify the
> content of a link as it comes in, and either put up a warning, a choice
> or just silently drop the incoming data, depending on a user preference.
>
> The validate attribute would describe an algorithm to employ and a
> result to compare it to; for example, somebody downloading the en-US
> version of FF 1.5 from the Mozilla.com homepage could click on a link
> like
>
> <a href="http://foo.com/mozilla-i686.tgz"
> validate="{md5}b63fcdf4863e59c93d2a29df853b6046">
>
> and the client could verify as it comes in that it does at least have
> the md5sum that's advertised. User notifications could include "no
> validation", "successfully validated" and "failed validation", and act
> according to the user's wishes in each case.
It's not entirely clear to me what problem this is solving; but wouldn't
content-MD5 (RFC 1864) be a better solution?
On Wed, 25 Jan 2006, James Graham wrote:
>
> It seems to make phishing scams easier (or at least easier to make
> convincing). If evilsite.com has a hacked version of Firefox accessible
> via an <a validate="hash_from_hacked_firefox"> then anyone downloading
> Firefox from evilsite.com will be told that the download "successfully
> validated" which (misleadingly) suggests it is the real Firefox.
>
> That doesn't leave the attribute totally useless as it would catch the
> case where a trustworthy website used a mirror network which was
> compromised. On balance though I don't see the security effect of this
> as a net positive (but I'm not a security guy so I'm happy to be
> corrected).
On Thu, 26 Jan 2006, Alexey Feldgendler wrote:
>
> This can only be useful on the pages like "Select a mirror to download
> the file from". It should be made clear that this is not intended for
> third-party authors referring to downloadable files, as direct links to
> such files are not mirror-friendly.
>
> Also, the user agent UI should make it clear when indicating a "valid"
> download that the downloaded file is "considered valid by mozilla.com",
> and not just "valid".
>
> I think that another one, probably more useful, attribute for <a> should
> be "filesize" or something like that. It would both serve for additional
> validation (for example, there's no need to even start the download
> after seeing a mismatching Content-Length header) and provide indication
> about the file size for the user (the UA could even calculate the
> estimate download time).
On Thu, 26 Jan 2006, Mike Hoye wrote:
>
> It's also useful in places where that choice is made for you behind the
> scenes, which is more and more frequently the case. When I click on the
> link on mozilla.com, for example, I start downloading a file from any
> one of a (presumably large) number of places - for the naive end user,
> there's not yet an easy way to be reasonably confident that this file
> you're downloading from ftp.rz.tu-bs.de (sometimes something with the
> word "mozilla" in the name, sometimes netscape, sometimes just an IP
> address) is the file you're supposed to be getting.
>
> I fact, now that I look at it, FF 1.5 doesn't even tell you where that
> file is coming from, or notify you that it's not coming from mozilla.com
> - it just pulls it in.
I think James, Alexey, and Mike make good points here.
I'm not convinced there's a pressing need for such a feature, partially
because it's not entirely clear to me what problem it is solving. For
downloads, code signing seems like a better solution all-round.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Saturday, 3 November 2007 02:31:03 UTC