comment on vicinties vs URIs Per Bothner (02 Jan 2005 22:31 UTC)
Re: comment on vicinties vs URIs Aubrey Jaffer (10 Jan 2005 04:08 UTC)
Re: comment on vicinties vs URIs Per Bothner (10 Jan 2005 07:30 UTC)
Re: comment on vicinties vs URIs felix winkelmann (10 Jan 2005 07:52 UTC)
Re: comment on vicinties vs URIs Per Bothner (10 Jan 2005 08:10 UTC)
Re: comment on vicinties vs URIs felix winkelmann (10 Jan 2005 09:16 UTC)
Re: comment on vicinties vs URIs bear (10 Jan 2005 09:49 UTC)

Re: comment on vicinties vs URIs bear 10 Jan 2005 09:49 UTC


On Mon, 10 Jan 2005, Per Bothner wrote:

>felix winkelmann wrote:
>
>> - It should be apparent that generalizing this all to URIs brings with it
>>   some security issues
>
>I don't see this.  I can see trouble if a Bad Guy gets an
>application to look for a resource using a bad URI.  But how is this
>different from getting an application to look for the resource using
>a bad local path?

It's different because it allows the user to be tracked and logged
from a remote machine without their knowledge.

Since Microsoft's subversion of SMTP to send HTML, it's become
fairly common for people spying on users to embed things in
their mail that generate an HTTP request whenever the mail is
displayed, so they can keep track of the people they've sent
stuff to.  I think this is pernicious.  One step further and
you'll see house robbers waiting until their server verifies
that the owner is at the office reading email....

In security applications, I want guarantees that a program is
*NOT* accessing the network.

			Bear