[cap-talk] Confused Deputy gets a new name in Web 2.0 lingo
Tyler Close
tyler.close at gmail.com
Mon Oct 16 22:45:29 CDT 2006
On 10/16/06, Ka-Ping Yee <cap-talk at zesty.ca> wrote:
> On Mon, 16 Oct 2006, Tyler Close wrote:
> > http://en.wikipedia.org/wiki/Cross-site_request_forgery
>
> Since it's Wikipedia, let's improve the article.
>
> I've added a "See Also" link to the article on Confused Deputy attacks,
> and a note to the text relating CSRF to Confused Deputy.
Is your text:
"A cross-site request forgery is simply a confused deputy attack
against a website. The deputy in the bank example is the bank website,
which is confused into misusing Bob's authority at Alice's direction."
If so, I think it needs to be amended. The deputy role is being played
by the web browser, not the bank website. The browser has been
instantiated with some of the user's authority (the bank credentials)
and some of the visited site's authority (the attack site).
Unfortunately, the browser is unable to express distinctions in what
authority should be applied to the current request. Making an analogy
to Norm's prototypical Confused Deputy attack, the FORM action
parameter is like the file name for the compiler's output.
> Feel free to join me in editing this page and the Confused Deputy page
> to make the point clearer.
Maybe we should hash it out here and then post the result, rather than
thrashing within the wiki. What's the etiquette for these things?
Tyler
--
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/
Name your trusted sites to distinguish them from phishing sites.
https://addons.mozilla.org/firefox/957/
More information about the cap-talk
mailing list