RE: ACTION-278 Hiding metadata for security reasons from Larry Masinter on 2010-02-11 (www-tag@w3.org from February 2010)

From: Larry Masinter <masinter@adobe.com>
Date: Thu, 11 Feb 2010 02:24:57 -0800
To: John Kemp <john@jkemp.net>, "ashok.malhotra@oracle.com" <ashok.malhotra@oracle.com>
CC: Tyler Close <tyler.close@gmail.com>, Dan Connolly <connolly@w3.org>, Tim Berners-Lee <timbl@w3.org>, Jonathan Rees <jar@creativecommons.org>, "www-tag@w3.org" <www-tag@w3.org>, "Mark S. Miller" <erights@google.com>
Message-ID: <C68CB012D9182D408CED7B884F441D4D87C3BA@nambxv01a.corp.adobe.com>

Well-known case of disclosing URIs:

You have a web server which serves secret information
using HTTPS. The web server keeps logs. You accidentally
set the log files where they are world readable.

The server logs disclose the secret.

Neither the user agent nor the server itself
explicitly "discloses" the logs, it's a
configuration oversight by the server administrator.

Larry
--
http://larry.masinter.net


-----Original Message-----
From: John Kemp [mailto:john@jkemp.net] 
Sent: Wednesday, February 10, 2010 5:36 PM
To: ashok.malhotra@oracle.com
Cc: Larry Masinter; Tyler Close; Dan Connolly; Tim Berners-Lee; Jonathan Rees; www-tag@w3.org; Mark S. Miller
Subject: Re: ACTION-278 Hiding metadata for security reasons

On Feb 10, 2010, at 7:50 PM, ashok malhotra wrote:

> Larry said ...
> 
> "It *might* be possible to make secret URLs into a "yellow ribbon" security mechanism, if, for example,
> the "unguessable" part of the URL were clearly unguessable.  (Random jumble of letters rather than,
> say, random quotes from literature, which might not
> look random.)"
> 
> I agree with this.  DanC says that secret URLs can be made as
> secure as password protection or more.

I believe that a secret URI _is_ a password, and if *secret* URIs are created and shared in the same way that passwords are created, shared and stored (see my previous email on this subject), has the same properties as a password - with one addition - the ability to obtain a representation of the thing which was password-protected.

>  I don't understand how.

A secret URI is a password. Some ways to improve passwords are:

i) Make them unguessable (not prone to a dictionary attack, for example)
ii) Give them one-time use semantics
iii) Time-limit them (expire them after some period of time)

There are others.

Regards,

- johnk

> Perhaps DanC could elaborate.
> 
> Ashok
> 
> All the best, Ashok
> 
> 
> Larry Masinter wrote:
>>>  A user-agent
>>> MUST NOT disclose representations or URIs, unless either explicitly
>>> instructed to do so by the user or as legitimately directed to by
>>> presented content. Since the user may wish to keep this information
>>> confidential, the user-agent must not assume it can be revealed to
>>> third-parties.
>>>    
>> 
>> While I'm sympathetic to the intent, this leaves undefined
>> the scope of "user agent" here, referent of "the user", and the meanings of "disclose", "legitimately", "confidential",
>> "assume" and "third-parties".  Does "user agent" apply to,
>> say, archive.org (which might pick up a mailing list archive
>> of an email and scan what is supposed to be a 'private'
>> URL)? Does it apply to, say, news.google.com, which seems
>> to aggregate news from newspapers that have a "news reader"
>> registration and login requirements?
>> 
>> I don't think this is an effective path to pursue. There are
>> agents that use URIs, including browsers, crawlers, scanners, aggregators, portals, bookmark sharing tools, translation
>> gateways, Internet Archive services. These agents, for better
>> or worse, have widely varying properties where information
>> retrieved by them is distributed further, including using
>> Referer, publishing access logs, peer sharing of cached retrieved results, etc.  Many of those deployed web agents
>> make the presumption that any material they access without
>> going through any particular access control mechanism may
>> be shared further without particular restriction, although
>> in practice the distribution that happens is not widespread,
>> there are no guarantees.
>> 
>> While "secret URLs" provide the appearance of adding some
>> amount of confidentiality to the results, in fact, there
>> are many circumstances where such URLs are disclosed,
>> by agents that are not browsers and whose update to follow
>> recommendations in _this_ document is unlikely.
>> 
>> A false sense of security is worse than no security,
>> in many circumstances. 
>> If users wish to make material available to "anyone who
>> has the URL", that's fine, but don't make any promises
>> that this is a "security" mechanism, because it's not.
>> 
>> There is a kind of "security" I've heard called "yellow
>> ribbon security", which functions like the "yellow ribbon"
>> banner sometimes put up:
>> 
>> "POLICE LINE DO NOT CROSS".
>> 
>> Now, the yellow ribbon doesn't actually prevent anyone
>> from crossing it, it just puts the crosser on notice
>> that they are actually crossing a line someone (perhaps
>> even the police) do not want them to cross.
>> 
>> It *might* be possible to make secret URLs into a "yellow ribbon" security mechanism, if, for example,
>> the "unguessable" part of the URL were clearly unguessable.  (Random jumble of letters rather than,
>> say, random quotes from literature, which might not
>> look random.)
>> 
>> Larry
>> --
>> http://larry.masinter.net
>> 
>> 
>> 
>>  
>

Received on Thursday, 11 February 2010 10:25:46 UTC