[cap-talk] Webkeys vs. the web
David-Sarah Hopwood
david.hopwood at industrial-designers.co.uk
Wed Apr 1 21:49:35 EDT 2009
ihab.awad at gmail.com wrote:
> On Wed, Apr 1, 2009 at 1:48 PM, Karp, Alan H <alan.karp at hp.com> wrote:
>
>> Users have gotten used to using URLs in a way that is incompatible with the
>> security properties of webkeys. For example, they are likely to share the
>> URL for a webpage, e.g., Account Summary, without considering the security
>> implications, e.g., whether or not there's a link on that page for Trade
>> Shares.
>
> It's worse than that. To the extent that they understand the model, they
> have come to expect that they can share *their* Account Summary URL with me,
> and that I will see *my* account information displayed (assuming, say, we
> share the same bank).
Any such expectation could only be remotely reasonable if they have parsed
the URL and believe that it has nothing in it that looks like a session ID,
account ID, or similar. For example, if the URL is something like:
<http://www.mybank.com/getpage?p=summary>
then they will usually be correct in this expectation, but if it is
something like:
<http://www.mybank.com/getpage?p=summary&acct=271828>
then they will usually be incorrect, for existing sites.
A webkey will have a random-looking object ID that the user would have to
assume might be specific to their account.
--
David-Sarah Hopwood ⚥
More information about the cap-talk
mailing list