[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: comment on vicinties vs URIs




On Mon, 10 Jan 2005, Per Bothner wrote:

>felix winkelmann wrote:
>
>> - It should be apparent that generalizing this all to URIs brings with it
>>   some security issues
>
>I don't see this.  I can see trouble if a Bad Guy gets an
>application to look for a resource using a bad URI.  But how is this
>different from getting an application to look for the resource using
>a bad local path?

It's different because it allows the user to be tracked and logged
from a remote machine without their knowledge.

Since Microsoft's subversion of SMTP to send HTML, it's become
fairly common for people spying on users to embed things in
their mail that generate an HTTP request whenever the mail is
displayed, so they can keep track of the people they've sent
stuff to.  I think this is pernicious.  One step further and
you'll see house robbers waiting until their server verifies
that the owner is at the office reading email....

In security applications, I want guarantees that a program is
*NOT* accessing the network.

			Bear