On Mon, Feb 23, 2009 at 11:47 AM, Breno de Medeiros <br...@google.com> wrote: > Or they may have to do it because host-meta does not allow redirects and > they need it. I wonder what is more likely.
One solution is to add content to a host-meta file that says where to find the host-meta file: My-Host-Meta-Is-Located-At: http://www.example.com/my-favorite-host-meta This has the advantage of not introducing vulnerabilities into existing servers. > Because tinyurl.com allows you to do this. Yes. Precisely. Following redirects introduces a vulnerability into tinyurl.com. That is why I recommend not following redirects. I don't know how to make a more compelling case for security than supplying a working proof-of-concept exploit that required all of five seconds to create on one of the world's most popular sites. > I am more imaginative: I could do DNS spoofing, DNS spoofing requires a lot more work (i.e., a more powerful attacker) than abusing redirects. > or I could choose another > site to hack that is actually more interesting that tinyurl. So we shouldn't care about introducing vulnerabilities into tinyurl because we don't think they are important enough? Adam