Jonathan's private notes concerning ACTION-278 http://www.w3.org/2001/tag/group/track/actions/278 Excerpts from email, minutes, and other sources, chosen somewhat arbitrarily, and collected into one place. ---------------------------------------------------------------------- The original discussion: http://www.w3.org/2001/tag/2009/06/23-minutes.html#item05 NM: so, advice in 2.7 of Metadata in URIs is still good advice? JAR/DC: no, Tyler et al say this is bad advice! LMM: advice is good for some situations, bad for others TBL: appropriate to say that there are two patterns of use - 1) ACL is done orthogonally to URI metadata (metadata MAY be public) ... and another, where URI must be completely secret HT: you are fooling yourself if you think URIs won't get out into the wild ([scribe] missed TBL third case) - secret information in URI, as noted in 2.7 of metadata in URI spec. TBL: (describes tripIt 'send to' case) NM: there is a story about if I use HTTP, then URIs will appear in several places ... and with HTTPS, fewer places TBL: re-open the metadata in URLs finding, explain capability use-case ---------------------------------------------------------------------- The finding text in question: http://www.w3.org/2001/tag/doc/metaDataInURI-31#hideforsecurity 2.7 Hiding metadata for security reasons A bank establishes a URI assignment policy in which account numbers are encoded directly in the URI. For example, the URI http://example.org/customeraccounts/456123 accesses information for account number 456123. A malicious worker at an Internet Service Provider notices these URIs in his traffic logs, and determines the bank account numbers for his Internet customers. Furthermore, if access controls are not properly in place, he might be able to guess the URIs for other accounts, and to attempt to access them. Good Practice: URI assignment authorities SHOULD NOT put into URIs metadata that is to be kept confidential. ---------------------------------------------------------------------- Use cases: Google calendar http://lists.w3.org/Archives/Public/www-tag/2010Jan/0089.html Unsubscribe - Dan finds the email aspect confounding http://lists.w3.org/Archives/Public/www-tag/2010Feb/0051.html also see re Google policy http://mail.google.com/support/bin/answer.py?hl=en&answer=81126#unsub Google docs http://lists.w3.org/Archives/Public/www-tag/2010Jan/0087.html CSRF defense http://waterken.sourceforge.net/web-key/#cap_xsrf Tripit Doodle Webex readycast "join meeting now" ... ---------------------------------------------------------------------- URI communication ("leak") paths that have been mentioned: Bookmark lists Browser history Server history (logs) Sniffing Referrer header Phishing detection services Copy/paste (e.g. to email) delicious.com bookmarklet (deliberate action) ---------------------------------------------------------------------- "One pattern is using unguessable URIs as a resource identifier for a temporary-validity 'resource' which really acts as a capability to perform some action -- access a document or calendar entry, unsubscribe from a mailing list or some such. When used with time-limits and other protection mechanisms intended to slow or minimize the possibilities of accidental disclosure, unguessable URIs may be useful in situations where requirements for confidentiality aren't high." -- LMM http://lists.w3.org/Archives/Public/www-tag/2010Feb/0068.html ---------------------------------------------------------------------- "I think we should start with the assumption that URIs should be easily shareable by the resource owner and user (but not always by others). The intended audience for the resource may vary widely. What are the methods one might use to limit the audience for a resource to that decided by the resource owner and the recipient user of that URI? How might we ensure that the security tradeoffs are made consciously and properly?" -- John K http://lists.w3.org/Archives/Public/www-tag/2010Feb/0069.html ---------------------------------------------------------------------- "Good practice: use explicit security mechanisms to control access to Web resources, except when the risk that URIs will (leak? fall into the wrong hands?) is sufficiently low Good practice: for resources that are not sufficiently protected by explicit security mechanisms, use URI's that cannot be inferred from publicly(?) available information." -- Noah http://lists.w3.org/Archives/Public/www-tag/2010Feb/0074.html ---------------------------------------------------------------------- "Good Practice: A URI assignment authority SHOULD NOT put guessable, confidential metadata in a URI." "Good Practice: A URI assignment authority SHOULD only identify private resources with unguessable URIs." -- Tyler http://lists.w3.org/Archives/Public/www-tag/2010Feb/0081.html ---------------------------------------------------------------------- Note that nowhere does my draft text require that an unguessable URL alone be sufficient to grant access to a resource. It only says that private resources SHOULD use unguessable URLs. It doesn't say that you can't use additional security measures. -- Tyler http://lists.w3.org/Archives/Public/www-tag/2010Feb/0116.html ---------------------------------------------------------------------- From http://www.w3.org/2001/tag/2010/02/11-minutes.html : suggested ACTION: ask thomas & web-security group to take this up ... NoahM, the 2nd GPN in your proposal looks pretty similar to the 2nd GPN in what tyler wrote; I don't see a clear distinction. As far as I have read so far, they're both OK by me... ... I think the security considerations need to combine the risk of disclosure with the consequences of inadvertent disclosure and how the risks of inadvertent disclosure are mitigated. Such as: unsubscribe link requires explicit POST, results in a confirmation email being sent and [can be] undone, is only valid for a limited time and only one-time.