On Mon, Feb 23, 2009 at 10:26 AM, Eran Hammer-Lahav <e...@hueniverse.com> wrote: > It is pretty irresponsible to talk about 'security' as if there is a well > established standard > applicable for the web as a whole.
These security issues are real in the sense that there are actual servers in the world which will or will not be hackable based on the decisions we make. > HTTP, as in RFC 2616, isn't secure at all. Even 2617 doesn't make things > significantly > better. Your entire approach is based on a very narrow viewpoint, biased by > worries about > known exploits specific to browsers. I disagree. I can use redirects to own tinyurl.com's host-meta store regardless of the existence of any Web browsers. > None of my use cases for host-meta even remotely care about browsers. Are you > suggesting we revise HTTP to make it secure? I'm suggesting that the world is full of legacy servers. If we fail to consider how these legacy servers interact with new proposals, we will introduce new vulnerabilities into those servers. > /host-meta offers a simple mechanism to register metadata links. If you have > specific > application security needs, you need to address them at the appropriate > level, that is, > the application. If more than one application has the same needs, they can > come > together and propose a security extension of the /host-meta spec. Not > supporting redirects > is one such idea (though I find it utterly useless for security). I think its more likely that folks that require security will ignore host-meta an invent their own metadata store. > But just for fun, how is a redirect any less secure than changing the content > of the > /host-meta document at its original URI? I don't have the ability to change the host-meta document at tinyurl.com. I do have the ability to add a redirect from /host-meta to a URL I control. Prior to host-meta, this is not a vulnerability in tinyurl. > Either you know the host-meta file you found is what the host-owner intended > or you > don't. HTTP (which is really the only tool we are using here) doesn't offer > you any such > assurances. Reality is not as binary as you imply. There are a spectrum of threat models corresponding to different attacker abilities. Following redirects lets weaker attackers compromise host-meta, adding yet another paper cut to the insecurity of host-meta. Adam
