Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Excellent IETF BCP on XML
 Tim Bray wrote, > Miles Sabin wrote: > > Tim Bray wrote, > > > > >Note that dereferencing a URI via GET is in principle and as far > > > as I can tell in practice safe, assuming you protect against > > >infinitely-large resource representations. > > > > That simply isn't true. > > Gimme a break. Umm ... no! > Sitting on your front step isn't safe if you put a plastic bag over > your head and then bang your head repeatedly on the railing. > Dereferencing a URI involves opening a network connection, sending off > the URI, and getting back some MIME headers and a bag of bits. Few > operations in the computing infrastructure are safer. You're kidding, right? Or did you miss the recent MIME, HTTP and SSL/TLS protocol-level parsing vulnerabilities (MS Outlook, Apache, OpenSSL)? I think we can all agree that paranoia and security vendors/consultants hyping risks to boost their businesses are a Bad Thing. But so is complacency. > Trying to pretend there's danger here obscures the real and serious > problems that arise when you start acting based on what you get > without knowing what you're doing. Right, but one of the big problems is knowing whether you're acting or not, never mind whether any particular action is safe. I see you use Mozilla as your MUA. Have you got it configured to render HTML mails as plain text? If you haven't, then when img elements in unsolicited HTML mails are rendered your MUA makes an outgoing network connection. That's an information leak for a start. And I hope you're patched against the recent Mozilla PNG library vulnerability ... if merely rendering a image counts as "acting based on what you get without knowing what you're doing" then doesn't just about anything? I don't think there's any reason _at_all_ for believing that XML consuming network server applications will be less complex, or less buggy, or more secure, or with more secure default configurations than HTML consuming MUAs/browsers. We've seen innumberable retrieval-based security problems in the latter over the last few years, so why the confidence that we won't see security problems in the former? Cheers, Miles 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
