WebFinger redirection: client SHOULD or MUST?

16 views
Skip to first unread message

Paul E. Jones

unread,
Dec 19, 2012, 9:39:04 PM12/19/12
to webf...@ietf.org, webf...@googlegroups.com

Folks,

 

We’re looking at text like this related to redirection:

 

WebFinger servers MAY redirect a client using a redirection HTTP status code to another HTTPS URI, but MUST NOT redirect a client to an HTTP URI.  Further, clients MUST NOT follow a redirection to an HTTP URI, but SHOULD follow all server redirects to HTTPS URIs.

 

Note the word “SHOULD” on the client’s requirement to follow redirects.  This softer requirement has been floated around on the list now for a week or longer (e.g., see Sal’s note on 12 Dec 2012), but the -07 version of the document mandates that clients follow redirects.  I cannot recall why this change was made, but it might have been out of security concerns.

 

Now that we are using HTTPS only, should we change that SHOULD back to a MUST as was in the -07 draft?

 

Paul

 

Brad Fitzpatrick

unread,
Dec 19, 2012, 9:41:15 PM12/19/12
to webf...@googlegroups.com, webf...@ietf.org
I wouldn't worry about it.  SHOULD is fine.

Some small number of people will violate it anyway for security or paranoia reasons (and they probably know what they're doing), and most people will be using some higher-level HTTP client that doesn't give them options anyway and will probably just do the right thing.

So changing the wording only affects a small number of people who won't care to necessarily follow it anyway.

Brad Fitzpatrick

unread,
Dec 19, 2012, 9:44:12 PM12/19/12
to webf...@googlegroups.com, webf...@ietf.org
For instance, if I look up atta...@evil.example.net's WebFinger like:

   GET /.well-known/webfinger?resource=acct:atta...@evil.example.com HTTP/1.1
   Host: evil.example.net

And they reply:

  HTTP/1.1 302 Found
  Location: http://10.0.0.17/some/internal/service/delete_account?user=victim

Is it a MUST that I follow that redirect?  Hell no.

This is why I wrote http://search.cpan.org/~bradfitz/LWPx-ParanoidAgent/lib/LWPx/ParanoidAgent.pm back in the day, but variants with similar policies exist for nearly all languages / organizations.


Paul E. Jones

unread,
Dec 20, 2012, 10:51:35 AM12/20/12
to Tim Bray, Brad Fitzpatrick, webf...@ietf.org, webf...@googlegroups.com

The reason the text is there relates to security.   Specifically, we do not want it to be legal for a WF server to redirect a client that queried via HTTPS to be directed to a non-secure URI.

 

Paul

 

From: webfinge...@ietf.org [mailto:webfinge...@ietf.org] On Behalf Of Tim Bray
Sent: Wednesday, December 19, 2012 9:48 PM
To: Brad Fitzpatrick
Cc: webf...@ietf.org; webf...@googlegroups.com
Subject: Re: [webfinger] WebFinger redirection: client SHOULD or MUST?

 

I'd just say "retrieval must be via HTTPS" and defer all this http stuff to the http spec. I just don't see how we add value by discussing details of how to redirect; the state of that art is well understood


_______________________________________________
webfinger mailing list
webf...@ietf.org
https://www.ietf.org/mailman/listinfo/webfinger

Paul E. Jones

unread,
Dec 20, 2012, 10:58:31 AM12/20/12
to Tim Bray, Brad Fitzpatrick, webf...@ietf.org, webf...@googlegroups.com

At present, it’s just a two-liner.  We could reduce it down to this:

 

“A WebFinger server MAY redirect the client, but MUST only redirect the client to an HTTPS URI.”

 

Paul

 

From: Tim Bray [mailto:tb...@textuality.com]
Sent: Thursday, December 20, 2012 10:53 AM
To: Paul E. Jones
Cc: Brad Fitzpatrick; webf...@ietf.org; webf...@googlegroups.com
Subject: Re: [webfinger] WebFinger redirection: client SHOULD or MUST?

 

Right, so if there’s a one-liner at the beginning of the protocol section saying “All requests (including redirects) MUST be directed to “https:” URIs” you’ve got it covered.

Reply all
Reply to author
Forward
0 new messages