Re: [Uri-review] ssh URI from David Booth on 2009-10-13 (uri@w3.org from October 2009)

From: David Booth <david@dbooth.org>
Date: Tue, 13 Oct 2009 00:20:36 -0400
To: Conrad Parker <conrad@annodex.net>
Cc: uri-review@ietf.org, uri@w3.org
Message-Id: <1255407636.5481.10775.camel@dbooth-laptop>

On Tue, 2009-10-13 at 12:35 +0900, Conrad Parker wrote:
> 2009/10/13 David Booth <david@dbooth.org>:
> >
> > I was referring to the adoption rate for clients (such as browsers)
> > recognizing these new SSH URIs and using them for their intended
> > purpose.  A browser encountering a URI beginning "ssh:..." will not be
> > able to do anything useful with it until it knows the special semantics
> > assigned to the "ssh:" prefix.  But a browser encountering a URI
> > beginning "https://sshuri.org/..." could try to dereference that URI and
> > could be led to software that, once installed, *would* know to open an
> > SSH connection when encountering such a URI.  This could dramatically
> > improve the rate at which browsers learn how to handle these SSH URIs.
> > Make sense?
> 
> Encouraging end-users to download ssh client software from a random
> web site specified by a third-party web-page author, and then
> (automatically) using that software to connect to the desired ssh
> server ... and hoping that this is somehow secure by using an SSL/TLS
> connection to access that software?

It wouldn't be a random web site, it would be the official web site of
SSH URIs!  That's no more random than mozilla.com or adobe.com, from
which software is routinely downloaded thousands of times a day.

> 
> No, this does not make sense. It encourages use of untrusted ssh
> client software (eg. not sourced from your operating system vendor,

That's a policy choice that should not be baked into the technical
design.  Making the software more difficult to obtain is a minus, not a
plus.

> unsigned etc.) 

Any such software certainly could and should be signed.

> so the scheme could be easily exploited by a third
> party to serve an ssh client with a backdoor. 

That's no different than access to *any* web site.  *Any* site can try
to serve up a trojan horse.  But that doesn't mean that there isn't
value in visiting web sites and value in making information and software
more readily available with existing mechanisms.

David Booth

> Using https to access
> that info/software does nothing to secure the initiation of the ssh
> connection.
> 
> If anything, ssh provides a good use-case for a custom uri scheme.
> 
> Conrad.
> 
> 
-- 
David Booth, Ph.D.
Cleveland Clinic (contractor)

Opinions expressed herein are those of the author and do not necessarily
reflect those of Cleveland Clinic.

Received on Tuesday, 13 October 2009 04:21:05 UTC