- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 23 Feb 2009 11:46:25 -0800
- To: Eran Hammer-Lahav <eran@hueniverse.com>
- Cc: Breno de Medeiros <breno@google.com>, Ben Laurie <benl@google.com>, Mark Nottingham <mnot@mnot.net>, "www-talk@w3.org" <www-talk@w3.org>
On Mon, Feb 23, 2009 at 10:26 AM, Eran Hammer-Lahav <eran@hueniverse.com> wrote: > It is pretty irresponsible to talk about 'security' as if there is a well established standard > applicable for the web as a whole. These security issues are real in the sense that there are actual servers in the world which will or will not be hackable based on the decisions we make. > HTTP, as in RFC 2616, isn't secure at all. Even 2617 doesn't make things significantly > better. Your entire approach is based on a very narrow viewpoint, biased by worries about > known exploits specific to browsers. I disagree. I can use redirects to own tinyurl.com's host-meta store regardless of the existence of any Web browsers. > None of my use cases for host-meta even remotely care about browsers. Are you > suggesting we revise HTTP to make it secure? I'm suggesting that the world is full of legacy servers. If we fail to consider how these legacy servers interact with new proposals, we will introduce new vulnerabilities into those servers. > /host-meta offers a simple mechanism to register metadata links. If you have specific > application security needs, you need to address them at the appropriate level, that is, > the application. If more than one application has the same needs, they can come > together and propose a security extension of the /host-meta spec. Not supporting redirects > is one such idea (though I find it utterly useless for security). I think its more likely that folks that require security will ignore host-meta an invent their own metadata store. > But just for fun, how is a redirect any less secure than changing the content of the > /host-meta document at its original URI? I don't have the ability to change the host-meta document at tinyurl.com. I do have the ability to add a redirect from /host-meta to a URL I control. Prior to host-meta, this is not a vulnerability in tinyurl. > Either you know the host-meta file you found is what the host-owner intended or you > don't. HTTP (which is really the only tool we are using here) doesn't offer you any such > assurances. Reality is not as binary as you imply. There are a spectrum of threat models corresponding to different attacker abilities. Following redirects lets weaker attackers compromise host-meta, adding yet another paper cut to the insecurity of host-meta. Adam
Received on Monday, 23 February 2009 19:47:00 UTC