[datacatalogs] SSL and DCIP v2
will.pugh at socrata.com
Sat Nov 24 03:22:11 UTC 2012
On Thu, Nov 22, 2012 at 8:24 AM, Rufus Pollock <rufus.pollock at okfn.org>wrote:
> On 21 November 2012 07:01, Will Pugh <will.pugh at socrata.com> wrote:
> > Hey folks,
> > I was looking at the DCIP spec, and had a couple of issues with the HTTP
> > HTTPS section in here. My primary concern is that the approach eluded
> to in
> > the spec does NOT seem to address many of the things SSL addresses (such
> > Man in the Middle attacks).
> > If an attacker were able to poison a DNS cache, or intercept traffic in
> > other way, there is nothing that prevents them from creating a SHA-256
> of my
> > bogus response and adding that in the header. The spec mentions the
> > Facebook API, but I believe that API requires a secret key and uses an
> > to sign the response. However, even if you wanted to put something like
> > that in, you still need to make sure to not have any potential Man In The
> > Middle attacks when getting the secret key. Normally, this is done
> > communication over HTTPS.
> Good point Will. The issue here I think arose in preparing version 2.0
> in which some proposed material re signing got dropped but the
> reference did not get removed - this is definitely something to
> explore but it was felt to add significant complexity.
> Be interested to hear what you or others think regarding enhancing the
> security aspects of the DCIP as it stands.
My take here would be to stay out of the security game. I would say that
DCIP is about interoperability and not about security.
> > HTTPS provides a much better trust chain than you are going to get with
> > other "homespun" mechanisms.
> > I don't think we should mandate HTTPS, but I think that catalogs that
> > support HTTPS are going to be open to spoofing and MITM attacks. I'd
> > not give folks a false sense of security and discourage vendors from
> > providing real protection against MITM and tampering.
> > HTTP is a well layered protocol. It is made that way so that standards
> > this can focus on interoperability and leave the security and trust up to
> > the experts.
> So your preference here would be to stick with HTTP and remove the
> possibly confusing discussion around HTTP / HTTPS?
Yes. I would say that the standard sits above HTTP/HTTPS and that which
one us used is orthogonal. Providers that want to provide protection are
free to use HTTPS, but providers are not compelled to.
> > --Will Pugh
> > CTO Socrata
> > _______________________________________________
> > data-catalogs mailing list
> > data-catalogs at lists.okfn.org
> > http://lists.okfn.org/mailman/listinfo/data-catalogs
> > Unsubscribe: http://lists.okfn.org/mailman/options/data-catalogs
> Co-Founder, Open Knowledge Foundation
> Promoting Open Knowledge in a Digital Age
> http://www.okfn.org/ - http://blog.okfn.org/
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the data-catalogs