- From: Breno de Medeiros <breno@google.com>
- Date: Mon, 23 Feb 2009 10:13:06 -0800
- To: Adam Barth <w3c@adambarth.com>
- Cc: Ben Laurie <benl@google.com>, Mark Nottingham <mnot@mnot.net>, Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
- Message-ID: <29fb00360902231013v34284376gb0c597fd9e89cd8d@mail.gmail.com>
On Mon, Feb 23, 2009 at 9:57 AM, Adam Barth <w3c@adambarth.com> wrote: > On Mon, Feb 23, 2009 at 9:44 AM, Breno de Medeiros <breno@google.com> > wrote: > > On Mon, Feb 23, 2009 at 9:32 AM, Adam Barth <w3c@adambarth.com> wrote: > >> Security is often a "death of a thousand paper cuts" that eventually add > up to > >> you being owned. > > > > I don't understand this reasoning. > > > > 1. The host-meta spec allows delegation to other domains/hosts > > > > 2. Secure app does not allow redirection to other domains/hosts > > > > 3. Secure app does not use host-meta and instead secure-meta, as apposed > to, > > say, using host-meta and not following redirects to other sites? > > What's the point of standardizing host-meta if every application will > require different processing rules to suit its own needs? > Applications will interoperate better by simply ignoring host-meta and > inventing their own metadata repository. Every application _will_ need to use different processing rules, because, well, they are interested in different things. > > > > For secure app to be secure re:no-redirect-rule it must in any way > perform > > the check that the redirection is to another realm, surely? > > To be secure, a user agent should not follow redirects to obtain > host-meta, regardless of where those redirects lead. What is the attack model here? I assume is the following: The attacker compromises the server to serve a re-direct when there should be a file served (or a 404). Well, the attacker can't upload a host-meta with what it wants in it? Why? > > > > There is enormous value in allowing redirects for host-meta. Applications > > with higher levels of security should implement their own security > policies. > > If you follow your current trajectory and continue to compromise away > security, applications that require security will implement their own > version of host-meta that is designed to be secure from the ground up > instead of trying to track down and patch all the gotchas in > host-meta. Sadly, this will defeat the goal of having a central > metadata repository. Perhaps that argument would be more convincing when you provide an example of an attack made possibly by introduction of a redirect that would not be possible by, say, adding a line to the host-meta file. > > > Adam > -- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7)
Received on Monday, 23 February 2009 18:13:46 UTC