[cap-talk] Webkeys vs. the web
ihab.awad at gmail.com
ihab.awad at gmail.com
Wed Apr 1 21:56:12 EDT 2009
On Wed, Apr 1, 2009 at 6:49 PM, David-Sarah Hopwood <
david.hopwood at industrial-designers.co.uk> wrote:
> A webkey will have a random-looking object ID that the user would have to
> assume might be specific to their account.
>
True, but the Amazon.com example posted earlier had all sorts of guff in it
while *still* being powerless.
And as for a real attack, consider this: If the Amazon.com URLs did convey
the authority to buy something with the viewer's credit card, and the world
were still in an era before the ubiquity of cap URLs, I can send an email:
To: You
From: Me
Subject: Get products for CHEAP!
We at CheapCorp want to save you money! Send us any link to an
Amazon.com product and, if we can beat the price, we'll also send
you a free pair of fuzzy dice!
Ihab
--
Ihab A.B. Awad, Palo Alto, CA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20090401/9338e607/attachment.html
More information about the cap-talk
mailing list