Re: [metadataInURI-31] New editors draft for Metadata In URIs Finding

Dan Connolly wrote:

> Regarding...
> 
> | HTML forms [HTMLForms] and now XForms [XFORMS] each provide a means by
> | which a authority can assert its support for a class of parameterized
> | URIs, while simultaneously programming Web clients to prompt for the 
> | necessary parameters.
> 
> You might note that the action= attribute allows a form to point
> anywhere in the web, so in fact, HTML forms allows anyone,
> not just an authority, to make claims about the URI structure
> of http://example.org/cityweather .

Yes, interesting. 

> That introduces a 3rd party into the discussion. That might
> be more trouble than it's worth. Hmm.

Well, the subtlety seems to me that the claims are authoritative (in the 
sense the finding discusses) only if the authority sourcing the form and 
the authority for the ACTION URI are the same.  It's cool that I can serve 
up lots of Web forms with ACTIONs pointing to danconnolly.com, but I 
expect you shouldn't be held responsible for either the implied structure 
of your URIs, or for anything I might say about them in the natural 
language text of the form.  I'm thinking it might be worth a sentence in 
the finding to give that warning, I.e. that 3rd party claims in forms have 
the same standing or lack thereof as 3rd party claims in books, ordinary 
web pages, or on the sides of busses: trust claims that (appear to be) 
made by someone other than the resource authority only at your own risk. 

> I think the "Hiding metadata for security reasons" story
> is a little thin. It's in the right direction, but there
> are more credible threats than a "malicious worker at
> an Internet Service Provider" these days.
> 
> Does anybody have a cross-site scripting horror story
> or something that's not too hard to follow?

Suggestions are most welcome. 

FWIW: I am fairly sure I know of a security consultant who discovered 
exactly the problem in the finding in the early days of the Web.  He 
basically went to the bank or credit card company (not sure which):  "Your 
site's not secure"; "Yes it is"; "Well I have account information for a 
few of your customers and can show you how to get more"; "Ooops - how'd 
you do it?".

The person who discovered the problem found that the URI for his account 
record was along the lines of:

        http://notsogoodbank.com/accountdata/customer="144"

seems that 

        http://notsogoodbank.com/accountdata/customer="143" 
  &     http://notsogoodbank.com/accountdata/customer="142"

produced useful information about other accounts.  I'm remembering that 
from many years ago and have no documentation, but I believe the essence 
of the story is right.  So this stuff happens, or used to happen anyway. 
If anyone has more compelling ideas for the security story, that would be 
great.  Frankly, I was afraid the finding was getting too long, but if you 
still had patience for more, maybe others would feel the same.  I'm 
certainly willing to add more if we can figure out what we want there.

Noah

--------------------------------------
Noah Mendelsohn 
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------

Received on Tuesday, 16 May 2006 01:27:47 UTC