[datacatalogs] SSL and DCIP v2

Will Pugh will.pugh at socrata.com
Wed Nov 21 07:01:50 UTC 2012

Hey folks,

I was looking at the DCIP spec, and had a couple of issues with the HTTP
vs. HTTPS section in here.  My primary concern is that the
approach eluded to in the spec does NOT seem to address many of the things
SSL addresses (such as Man in the Middle attacks).

If an attacker were able to poison a DNS cache, or intercept traffic in any
other way, there is nothing that prevents them from creating a SHA-256 of
my bogus response and adding that in the header.  The spec mentions the
Facebook API, but I believe that API requires a secret key and uses an HMAC
to sign the response.  However, even if you wanted to put something like
that in, you still need to make sure to not have any potential Man In The
Middle attacks when getting the secret key.  Normally, this is done through
communication over HTTPS.

HTTPS provides a much better trust chain than you are going to get with any
other "homespun" mechanisms.

I don't think we should mandate HTTPS, but I think that catalogs that don't
support HTTPS are going to be open to spoofing and MITM attacks.  I'd
rather not give folks a false sense of security and discourage vendors from
providing real protection against MITM and tampering.

HTTP is a well layered protocol.  It is made that way so that standards
like this can focus on interoperability and leave the security and trust up
to the experts.

    --Will Pugh
       CTO Socrata
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.okfn.org/pipermail/data-catalogs/attachments/20121120/ce3ebfed/attachment.html>

More information about the data-catalogs mailing list