On Mon, Dec 14, 2009 at 11:32:40AM -0800, John Panzer wrote: > On Mon, Dec 14, 2009 at 11:21 AM, Peter Watkins <[email protected]> wrote:
> > I > > don't want the data-hungry folks at Facebook noticing that I'm logged > > in to the Greenpeace or National Rifle Association unless I explicitly > > approve letting Facebook know that. > (Note that > even today, you may be able to use visited-link color hacks to determine > what OPs a user has recently frequented; statistically speaking you can > already get the information you're worried about.) I call that the "Grandfather Clause" Fallacy, and I see it pretty often. Your argument is that because there's already an exposure (due to unintentional consequence of DOM/Javascript interaction), it's OK to build new systems & specs that are known to have the flaw from day one. You're arguing that the privacy flaw exhibited in the link status checking should be "grandfathered" in. Why not raise the bar, and make the web a *better* place instaed of settling for today's lowest common denominator? > > 2) Security. A malicious site could more intelligently target victims > > if it could ascertain what sites the victim is logged into. There's no > > need to attempt some online Gmail exploit if the malicious RP can tell > > that the victim isn't logged in to Google. > Again, per above, I think this information is probably already available to > evil.org, at least statistically speaking. That visited-links privacy hack would tell you if I visited certain prominent pages like http://google.com, but that's quite different from telling the RP "Hey, Peter's logged in to Google right now, so this is a perfect time to exploit him." I'm not a gmail user, but I expect that most gmail URLs are pretty dynamic/ugly/unique, and it would be quite expensive and unreliable to use visited link hackery to determine if an individual had gotten past the gmail login page, to say nothhing about whether the user is looged in *right now*. BTW, for those of you who aren't familiar w/ the attack, here's an amusing demo site: http://www.schillmania.com/random/humour/web20awareness/ And here's a Firefox bug ticket with a patch to disable special handling of "visited" links, which is supposed to fix the problem. https://bugzilla.mozilla.org/show_bug.cgi?id=147777 -Peter _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
