[cap-talk] Polaris tickle, POLA for Internet access, URLs

David Mercer dmercer at email.Arizona.EDU
Thu Dec 9 18:51:25 EST 2004 

On Thu, 9 Dec 2004, Jed at Webstart wrote:
> It seems to me that because http is a stateless protocol, any notion
> of state shared across transactions must be contained in information
> associated with a "connection" by the client or server.  The only notion
> of "connection" that I know of in clients involve shared state automatically
> retransmitted with repeated http requests to a single site.  Amongst the
> mechanisms I am familiar with are:
>
> 1.  Basic authentication - where the client browser remembers
> username/password information and repeatedly sends it with
> each transaction to the same IP address.  Certificated access
> works similarly.  This has nothing to do with "automatic login",
> but happens after a manual login in order to keep the user
> from having to re login with every request to the server - clearly
> impractical.
>
> 2.  Cookies - where again the client remembers cookie information
> and resends it with every request to an IP or IP/path combination
> (I've forgotten the details, but one can adjust that to some extent
> when saving a cookie).

State is often encoded in urls and/or form fields.  The stateless nature
of the http protocol has spawned countless emulations of a stateful
connection to have been hacked on top of it.  Parameter passing vis POST
form fields or GET requests is typical and common.

If cookies hadn't been so maligned and feared due to bad press, perhaps
they would have become a universal, rather than merely popular, way to
encode state across http requests.  As it stands you can't really ever
tell algorithmicly whether any given url transmits state.

I've administered over a dozen differnt web server platforms in my past as
an admin in commercial production environments, and believe me it is
completely trivial to map any url to anything you want.

I can make http://www.EvilServer.com/images/Jed.png call a cgi.  Heck, I
can make any png that the server recieves a GET request for in that
/images directory map to the same cgi, and have  EvilProgram interpret each
filename requested as data returned to it, and it can even hand you back a
png standard conformant 1x1 image that you won't ever see, and  your
browser will happily not raise an 'invalid image' dialog.

My point is that any http GET request, even if it looks harmless, may be
an unauthorized data transmission.  Encapsulating the browser in a
restricted execution environment built with POLA in mind will limit what
can be transmitted.

But you can't ever tell by looking what's an evil url.

----------------------
David Mercer
dmercer at U.Arizona.EDU
http://www.u.arizona.edu/~dmercer

More information about the cap-talk mailing list