Traffic Analysis and Namespace Dereferencing
John Wilson writes: > Performing an HTTP GET on an arbitrary URL is not an innocuous > action. Very well put -- there are many dangers, including (as John points out) denial-of-service (intentional or unintentional) and maliciously altered schema information. Even without technical or security problems, however, automatic dereferencing will make it possible discover trade secrets, personal information, etc. simply through traffic analysis. Let's say that I have defined a popular Namespace for encoding peer-to-peer records: http://www.megginson.com/ns/p2p Now, imagine that IBM plans a big announcement next Thursday, but is keeping it heavily under wraps. I bring up my server log and find 10,000 hits for http://www.megginson.com/ns/p2p from a research domain at ibm.com. Hmm. Maybe I know that there's a medium-sized, publicly-traded company using my P2P Namespace, and that they've been shopping themselves around. Time to buy some stock; or, if I don't want to go to jail for securities violations, time to leak it to the chatrooms. Now, imagine the same kind of thing, only for IBM, substitute (say) MI5, the Federal Reserve Board, or the Los Alamos nuclear research lab. Ouch! All the best, David -- David Megginson david@m... http://www.megginson.com/
PURCHASE STYLUS STUDIO ONLINE TODAY!
Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!
Download The World's Best XML IDE!
Accelerate XML development with our award-winning XML IDE - Download a free trial today!
Subscribe in XML format