[p2p-hackers] Re: [rest-discuss] Re: RESTful authorization
Nick Lothian
nlothian at educationau.edu.au
Tue Sep 27 01:35:31 UTC 2005
>
> p2p-hackers, meet rest-discuss. rest-discuss, I'd like to
> introduce you to p2p-hackers.
>
> RESTafarians: there is a long-running conversation on
> p2p-hackers about friendnets, also known as darknets, small
> world networks, and F2F networks; also capabilities security,
> sometimes known as smart contracts. An example thread begins
> at http://zgp.org/pipermail/p2p-hackers/2005-August/002915.html
>
> p2p-hackers: Tyler Close' method for HTTP access control
> using nothing but unguessable (and secret) URIs came up on
> REST-discuss. That thread begins at
> http://groups.yahoo.com/group/rest-discuss/message/5228 In
> the context of friendnets, Tyler's scheme is a beautifully
> simple way of controlling access using nothing but low-tech
> means. Not only does it limit access to trusted parties, it
> also allows for transitive relationships. (Warning: his
> scheme is counterintuitive, since the dependence on secret
> URLs smells like security through obscurity).
>
Interesting idea.
It may not be security via obscurity, but it does appear to ignore a
number of practical considerations.
For instance, what about the secret URL being passed on in referrer
headers to other pages? I think some browsers block it when you go from
a secure page to a non-secure page on another site (although I'm unsure
about that). The argument that users shouldn't put links to on a secured
page is more surprising than the things it is trying to avoid (to me
anyway).
OTOH, all browsers block HTTP authenticaion credentials from being
passed in the referrer header.
Nick
More information about the P2p-hackers
mailing list