xml-dev - Re: [xml-dev] Excellent IETF BCP on XML

Re: [xml-dev] Excellent IETF BCP on XML

[ Lists Home | Date Index | Thread Index ]

To: XML Dev <xml-dev@lists.xml.org>
Subject: Re: [xml-dev] Excellent IETF BCP on XML
From: Miles Sabin <miles@milessabin.com>
Date: Sun, 24 Nov 2002 12:26:21 +0000
In-reply-to: <3DDFC2C4.9060306@textuality.com>
References: <15725CF6AFE2F34DB8A5B4770B7334EE0DF8DE@hq1.pcmail.ingr.com> <200211231336.49564.miles@milessabin.com> <3DDFC2C4.9060306@textuality.com>

Tim Bray wrote,
> Miles Sabin wrote:
> > Tim Bray wrote,
> >
> > >Note that dereferencing a URI via GET is in principle and as far
> > > as I can tell in practice safe, assuming you protect against
> > >infinitely-large resource representations.
> >
> > That simply isn't true.
>
> Gimme a break.

Umm ... no!

> Sitting on your front step isn't safe if you put a plastic bag over
> your head and then bang your head repeatedly on the railing. 
> Dereferencing a URI involves opening a network connection, sending off
> the URI, and getting back some MIME headers and a bag of bits.  Few
> operations in the computing infrastructure are safer.

You're kidding, right? Or did you miss the recent MIME, HTTP and SSL/TLS 
protocol-level parsing vulnerabilities (MS Outlook, Apache, OpenSSL)?

I think we can all agree that paranoia and security vendors/consultants 
hyping risks to boost their businesses are a Bad Thing. But so is 
complacency.

> Trying to pretend there's danger here obscures the real and serious 
> problems that arise when you start acting based on what you get
> without knowing what you're doing.

Right, but one of the big problems is knowing whether you're acting or 
not, never mind whether any particular action is safe. I see you use 
Mozilla as your MUA. Have you got it configured to render HTML mails as 
plain text? If you haven't, then when img elements in unsolicited HTML 
mails are rendered your MUA makes an outgoing network connection. 
That's an information leak for a start. And I hope you're patched 
against the recent Mozilla PNG library vulnerability ... if merely 
rendering a image counts as "acting based on what you get without 
knowing what you're doing" then doesn't just about anything?

I don't think there's any reason _at_all_ for believing that XML 
consuming network server applications will be less complex, or less 
buggy, or more secure, or with more secure default configurations than 
HTML consuming MUAs/browsers. We've seen innumberable retrieval-based 
security problems in the latter over the last few years, so why the 
confidence that we won't see security problems in the former?

Cheers,

Miles

References:
- RE: [xml-dev] Excellent IETF BCP on XML
  - From: "Bullard, Claude L (Len)" <clbullar@ingr.com>
- Re: [xml-dev] Excellent IETF BCP on XML
  - From: Miles Sabin <miles@milessabin.com>
- Re: [xml-dev] Excellent IETF BCP on XML
  - From: Tim Bray <tbray@textuality.com>

Prev by Date: Re: [xml-dev] What are the arguments *for* XHTML 2.0?
Next by Date: Re: [xml-dev] XML, Rich Internet Apps
Previous by thread: Re: [xml-dev] Excellent IETF BCP on XML
Next by thread: Re: [xml-dev] Excellent IETF BCP on XML
Index(es):
- Date
- Thread