W3C home > Mailing lists > Public > www-tag@w3.org > February 2010

Re: ACTION-278 Hiding metadata for security reasons

From: John Kemp <john@jkemp.net>
Date: Mon, 8 Feb 2010 10:41:13 -0500
Cc: ashok.malhotra@oracle.com, Larry Masinter <masinter@adobe.com>, Jonathan Rees <jar@creativecommons.org>, Tyler Close <tyler.close@gmail.com>, "www-tag@w3.org" <www-tag@w3.org>, "Mark S. Miller" <erights@google.com>
Message-Id: <CF94727B-5DA4-44DA-949E-D8C8CDE09EB7@jkemp.net>
To: Dan Connolly <connolly@w3.org>
On Feb 8, 2010, at 10:32 AM, Dan Connolly wrote:

> On Sun, 2010-02-07 at 14:50 -0800, ashok malhotra wrote:
>> Hi Larry:
>> This is useful.
>> Non-public URIs provide a weak level of security that is held to be 
>> adequate for some usecases.
>> I wonder if there is disagreement with the above statement.
> I disagree.

And in my previous email, I neglected to mention that I, too, disagree with that statement.

> The unguessable URI pattern can be made about as secure as you like;
> in particular, as secure or more secure than passwords+cookies.

Yes, I believe that to be true too - apart from the case where a URI may end up being transmitted to another site "automatically" by means of the Referer HTTP header.


- johnk
Received on Monday, 8 February 2010 15:41:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:56:32 UTC