[p2p-hackers] Re: [rest-discuss] Re: RESTful authorization

[Antoine Pitrou]

Hi again,

> On 9/28/05, Antoine Pitrou <solipsis at pitrou.net> wrote:
> > I'm curious as to how "capability URLs" can't be stolen and re-used by a
> > malicious piece of Javascript like other URLs can.
> 
> Simply because a capability URL is unguessable.

It is permanent too, so if it leaks once, then it's compromised forever.
And you have to keep this URL somewhere... Given that it's full of
random ascii garbage, you can't keep it in your head (contrast this with
a properly chosen password), and you don't want to copy it by hand
either. So it /will/ end up in electronic clickable form somewhere: for
example in your bookmarks.

>From your own explanation on the REST mailing-list : « The user just
*clicks on hyperlinks*, without ever needing to be aware of the resource
password. » Those hyperlinks have to be somewhere...

(and of course, this totally mandates HTTPS, which is impossible for
most Web sites for reasons I already explained)


As a mix proposal, it would be more interesting if a new URL was
generated everytime the user identifies (with login/password). More
interesting again, it could be generated client side in Javascript using
a formula like "HASH(HASH(password) + challenge)" where the challenge is
a temporary value generated by the server for this very session (thus
with an expiration time). Which means:
- the URL is temporary (it expires with the challenge)
- this URL does not need to be recorded anywhere on the client since
it's generated at every new login
- in plain non-encrypted HTTPS, the data which goes over the wire only
gives temporary access to the resource

Regards

Antoine.