- From: Rice, Ed (HP.com) <ed.rice@hp.com>
- Date: Mon, 9 May 2005 11:50:57 -0700
- To: "Graham Klyne" <GK@ninebynine.org>, <www-tag@w3.org>
Interesting note.. but not on the same topic. The URI we demonstrated solved the xri resource issue, not a redirect to a web page. The XRI would be resolve locally on the sending server. So in your example below, the 'Google' reference would have to be known and registered on the eBay servers in order to be valid. Looks to me like eBay has a bug :) but its not relevant. -Ed -----Original Message----- From: www-tag-request@w3.org [mailto:www-tag-request@w3.org] On Behalf Of Graham Klyne Sent: Thursday, May 05, 2005 10:59 AM To: www-tag@w3.org Subject: Re: XRI 2.0 Review by the W3C TAG - security concern? At 10:52 29/04/05 +0200, Vincent Quint wrote: >Summary: The TAG has reviewed the XRI 2.0 documents and requirements >surrounding the use of XRI. At this time, it is the opinion of the >TAG that the case has not been made for a new URI scheme, rather that >the requirements can be addressed very well using the http URI scheme >and existing implementations of HTTP and DNS. From various messages I've read, it seems that TAG's response makes some use of HTTP redirects to achieve the desired effects of XRI; e.g. parts 5-6 of: [4] http://lists.w3.org/Archives/Public/www-tag/2005Apr/0088.html Quite separately, I today came across a posting on ACM RISKS forum 23.73 that points out a security concern... "The RISK is obvious: allowing untrusted URL redirects in this case will fool many more people". The full message is below. I don't know if this is causes a problem for the proposed approach, but it seems to be an issue worth considering. [[ Date: Tue, 15 Feb 2005 09:08:18 -0600 (CST) From: Pete Krawczyk <risks@bsod.net> Subject: eBay redirects to phishers from their own site eBay fraudsters have a new trick up their sleeve: using eBay's servers to link to a fraudulent web site. In the past, it was easy to pass a URL through a decoder and find that the actual server hosted behind a URL was not owned by eBay, since phishers would use @, %40, or other domain misdirection tactics. However, I recently received an eBay fraud mail that contained the following URL, which has been edited to point to Google: http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=RedirectToDomain&DomainUrl=http://www.google.com/ As you can see, that URL will access cgi4.ebay.com, and eBay will gladly hand the browser over to Google for further action. That URL can be trivially changed to any web site. The RISK is obvious: allowing untrusted URL redirects in this case will fool many more people who may now believe that eBay is truly asking for account details, and may lead to further identity theft. I contacted eBay, and got nothing but canned responses. I did try the live chat, and after the rep confirmed that I had not given out my account information, he said they would investigate. That was on Saturday. ]] -- http://catless.ncl.ac.uk/Risks/23.73.html#subj7 #g -- >OASIS Team, > >The TAG has reviewed the XRI 2.0 documents [1] and while we do >understand the case for an abstraction layer, we also believe that >this can be provided with the http scheme and existing HTTP and DNS >protocols. > >The recommendations that we have documented in Architecture of the World >Wide Web, Volume One state that "A specification SHOULD reuse an >existing URI scheme (rather than create a new one) when it provides >the desired properties of identifiers and their relation to >resources." [2] In this case, a properly managed and supported use of >the existing http scheme, based on the excellent analysis in your >documents, does have the desired properties and can provide the same >functionality without the loss of interoperability which would >accompany a new scheme. > >An abstraction layer which uses current technologies could be deployed >much more quickly, as creating a new URI scheme would require the >whole web to implement these technologies before they would achieve >widespread adoption. > >Some background to the above response, as well as an indication of >what would be involved in taking most of the work done on XRIs forward >without a new URI scheme, can be found in several recent messages to >the www-tag mailing list [3] [4]. > >Respectfully, >W3C TAG > >[1] http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xri >[2] http://www.w3.org/TR/2004/REC-webarch-20041215/#URI-scheme >[3] http://lists.w3.org/Archives/Public/www-tag/2005Apr/0076.html >[4] http://lists.w3.org/Archives/Public/www-tag/2005Apr/0088.html > >-------------------------------------- >Vincent Quint INRIA Rhône-Alpes >INRIA ZIRST >e-mail: Vincent.Quint@inria.fr 655 avenue de l'Europe >Tel.: +33 4 76 61 53 62 Montbonnot >Fax: +33 4 76 61 52 07 38334 Saint Ismier Cedex > France ------------ Graham Klyne For email: http://www.ninebynine.org/#Contact
Received on Monday, 9 May 2005 18:51:11 UTC