OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Traffic Analysis and Namespace Dereferencing



John Wilson writes:

 > Performing an HTTP GET on an arbitrary URL is not an innocuous
 > action.

Very well put -- there are many dangers, including (as John points
out) denial-of-service (intentional or unintentional) and maliciously
altered schema information.

Even without technical or security problems, however, automatic
dereferencing will make it possible discover trade secrets, personal
information, etc. simply through traffic analysis.

Let's say that I have defined a popular Namespace for encoding
peer-to-peer records:

  http://www.megginson.com/ns/p2p

Now, imagine that IBM plans a big announcement next Thursday, but is
keeping it heavily under wraps.  I bring up my server log and find
10,000 hits for http://www.megginson.com/ns/p2p from a research domain
at ibm.com.  Hmm.

Maybe I know that there's a medium-sized, publicly-traded company
using my P2P Namespace, and that they've been shopping themselves
around.  Time to buy some stock; or, if I don't want to go to jail for
securities violations, time to leak it to the chatrooms.

Now, imagine the same kind of thing, only for IBM, substitute (say)
MI5, the Federal Reserve Board, or the Los Alamos nuclear research
lab.  Ouch!


All the best,


David

-- 
David Megginson                 david@megginson.com
           http://www.megginson.com/