Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01) from Adam Barth on 2009-02-23 (www-talk@w3.org from January to February 2009)

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 23 Feb 2009 14:23:55 -0800
To: Mark Nottingham <mnot@mnot.net>
Cc: Breno de Medeiros <breno@google.com>, Ben Laurie <benl@google.com>, Eran Hammer-Lahav <eran@hueniverse.com>, "www-talk@w3.org" <www-talk@w3.org>
Message-ID: <7789133a0902231423y69fedcfbnfde429d3ce31761f@mail.gmail.com>

On Mon, Feb 23, 2009 at 2:07 PM, Mark Nottingham <mnot@mnot.net> wrote:
> To me, what's interesting here is that the problems you're illustrating have
> never been an issue AFAIK with robots.txt,

I recently reviewed a security paper that measured whether consumers
of robots.txt follow redirects.  I'm not sure if their results are
public yet, but some consumers followed redirects but others don't,
causing interoperability problems.

> and they didn't even come up as a
> concern during the discussions of P3P. I wasn't there for sitemaps, but
> AFAICT they've been deployed without the risk of unauthorised control of
> URIs being mentioned.

That just means they aren't interesting enough targets for attackers.
For high-stakes metadata repositories, like crossdomain.xml, you find
that people don't follow redirects.  If I recall correctly,
crossdomain.xml started off allowing redirects but had to break
backwards compatibility to stop sites from getting hacked.

> I think the reason for this is that once the mechanism gets deployment, site
> operators are aware of the import of allowing control of this URL, and take
> steps to assure that it isn't allowed if it's going to cause a problem.

This is a terrible approach to security.  We shouldn't make it even
harder to deploy a secure Web server by introducing more landmines
that you have to avoid stepping on.

> They haven't done that yet in this case (and thus you were able to get
> /host-meta) because this isn't deployed -- or even useful -- yet.

TinyURL doesn't appear to let me create a redirect with a "." in the
name, stopping me from creating a fake robots.txt or crossdomain.xml
metadata store.  Similar to how MySpace and Twitter didn't let me make
a profile with a "-" in the name, I wouldn't hang my hat on this for
security.

> I would agree that this is not a perfectly secure solution, but I do think
> it's good enough.

The net result is that most people aren't going to use host-meta for
security-sensitive metadata.  The interoperability cost will be too
high.

Why not introduce a proper delegation mechanism instead of re-using
HTTP redirects?  That would let you address the delegation use case
without the security issue.

> Of course, a mention in security considerations is worthwhile.

Indeed.

Adam

Received on Monday, 23 February 2009 22:24:36 UTC