[cap-talk] Confused Deputy gets a new name in Web 2.0 lingo

Jed at Webstart donnelley1 at webstart.com
Tue Oct 17 12:47:56 CDT 2006 

At 12:00 AM 10/17/2006, Ka-Ping Yee wrote:
>On Mon, 16 Oct 2006, Tyler Close wrote:
> > On 10/16/06, Ka-Ping Yee <cap-talk at zesty.ca> wrote:
> > > In a confused deputy situation, the deputy inadvertently abuses 
> authority.
> > > Is it the browser or the bank that is making the decision to exercise
> > > the authority?  I say the bank.  If you prefer to say the browser, you
> > > can, it just means that you have chosen to see the browser as conveying
> > > an authorization to the bank.
> >
> > By that characterization all attacks would be defined as Confused
> > Deputy attacks, since in all attacks, authority is abused by some
> > actor. I think the term "Confused Deputy" is necessarily more narrowly
> > defined than you would seem to have it.
>
>That was a statement about confused deputies, not a definition of the
>term.  I think your interpretation is valid.  As i've said already
>off-list, feel free to edit the page to reflect the interpretation that
>makes the most sense to you.  You don't need my permission to do so.

I agree with Tyler's interpretation of how this "Cross-site request forgery"
is a Confused Deputy attack against Bob's Web browser.  I've edited Ping's
words to reflect that interpretation.  I did that editing under my identity and
I placed a watch on this page.

Regarding:

At 09:46 AM 10/17/2006, Tyler Close wrote:
>On 10/17/06, Charles Landau <clandau at macslab.com> wrote:
> > At 11:28 PM -0700 10/16/06, Tyler Close wrote:
> > >This disagreement makes me think that it's not such a bad thing that
> > >"Confused Deputy" is getting a new name. "Confused Deputy" is a really
> > >bad name for the attack.
> >
> > Perhaps, but is "cross-site request forgery" better? It sounds
> > awfully web-specific. And, where is the forgery? The authorization is
> > legitimate, it is just misused.
>
>Yes, this new name doesn't seem very good either.
>
>Something like the "Penless Notary" might be more descriptive of the
>crux of the matter, but I don't know that that's a good name either.
>Naming is hard.

I agree that naming is hard and that "Cross-site request forgery"
is not only not better, it's worse.  I also don't think "Penless Notary"
comes close.  I believe "Confused Deputy" has stood the test
of time, has history on it's side, and is good enough (certainly
lacking any viable alternative), so we should stick with it.  Of
course people should feel free to submit alternative names for
discussion, but I think we should be very careful in any effort to
change such a venerable name.

--Jed http://www.webstart.com/jed/

More information about the cap-talk mailing list