Re: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01)

Mon, 23 Feb 2009 14:09:58 -0800 

Adam,
To me, what's interesting here is that the problems you're illustrating have never been an issue AFAIK with robots.txt, and they didn't even come up as a concern during the discussions of P3P. I wasn't there for sitemaps, but AFAICT they've been deployed without the risk of unauthorised control of URIs being mentioned. 


I think the reason for this is that once the mechanism gets  
deployment, site operators are aware of the import of allowing control  
of this URL, and take steps to assure that it isn't allowed if it's  
going to cause a problem. They haven't done that yet in this case (and  
thus you were able to get /host-meta) because this isn't deployed --  
or even useful -- yet.



I would agree that this is not a perfectly secure solution, but I do  
think it's good enough.


Of course, a mention in security considerations is worthwhile.

Cheers,



On 24/02/2009, at 8:21 AM, Adam Barth wrote:


On Mon, Feb 23, 2009 at 1:04 PM, Breno de Medeiros  
<br...@google.com> wrote:

No, it does not. It does introduce vulnerabilities to clients that  
visit
tinyurl.com with the expectation that they will interpret some  
metadata at

tinyurl.com to achieve specific aims.


You're right: someone has to use host-meta for something for this
attack to work.


Simply substituting tinyurl.com's

host-meta affects no one until tinyurl.com starts exposing some  
type of
service or application that client apps might want to configure/ 
discover

using host-meta.


By owning their host-meta, I can opt them into whatever services use
host-meta for discovery.


Are you really saying that you don't care that I own their host-meta  
file?



As for your example of default charsets, where you are using a  
browser to
define a generic interpretation of how to use host-meta to discover  
default

charsets, it sounds like such API would need to be designed as:

getHostMetaValue(URL resource_url, String host_meta_key, boolean
isAllowedToFollowRedirects)

which hardly sounds to me like a burden.


Don't forget mime types!

String getHostMetaValue(URL resource_url, String host_meta_key,
Boolean is_allowed_to_follow_redirects, Boolean
require_strict_mime_type_processing)

What about paper cut #37?

String getHostMetaValue(URL resource_url, String host_meta_key,
Boolean is_allowed_to_follow_redirects, Boolean
require_strict_mime_type_processing, Boolean opt_out_of_paper_cut_37)

That's the path to madness.

Adam



--
Mark Nottingham     http://www.mnot.net/































					Reply via email to