- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 23 Feb 2009 12:16:45 -0800
- To: Breno de Medeiros <breno@google.com>
- Cc: Ben Laurie <benl@google.com>, Mark Nottingham <mnot@mnot.net>, Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
On Mon, Feb 23, 2009 at 11:47 AM, Breno de Medeiros <breno@google.com> wrote: > Or they may have to do it because host-meta does not allow redirects and > they need it. I wonder what is more likely. One solution is to add content to a host-meta file that says where to find the host-meta file: My-Host-Meta-Is-Located-At: http://www.example.com/my-favorite-host-meta This has the advantage of not introducing vulnerabilities into existing servers. > Because tinyurl.com allows you to do this. Yes. Precisely. Following redirects introduces a vulnerability into tinyurl.com. That is why I recommend not following redirects. I don't know how to make a more compelling case for security than supplying a working proof-of-concept exploit that required all of five seconds to create on one of the world's most popular sites. > I am more imaginative: I could do DNS spoofing, DNS spoofing requires a lot more work (i.e., a more powerful attacker) than abusing redirects. > or I could choose another > site to hack that is actually more interesting that tinyurl. So we shouldn't care about introducing vulnerabilities into tinyurl because we don't think they are important enough? Adam
Received on Monday, 23 February 2009 20:17:24 UTC