Re: [apps-discuss] Webfinger discussion

["Paul E. Jones" <paulej@packetizer.com>]

Andrew,

> > > Andrew Sullivan: when I was a kid, they told us to turn off finger,
> > > so I'm concerned about security
> >
> > That was due to the fact the finger protocol implementations had
> > security holes.  It was also possible to do things like "ln
> > /etc/password .plan" and that was a bad thing :-)
> 
> That wasn't the only reason they told us this.  One of the things that
> people used to worry about was that finger leaked information.  In
> particular, it was an excellent way to identify targets for account
> takeover: people who never logged in, and people who were in for endless
> days and therefore whose account was probably often unmonitored.
> 
> Now, I never knew whether I believed this sort of complaint, but it was
> one, and the draft as it stands only just hints at the sort of analysis
> that ought to be done.  It seems like this requires a much expanded
> security considerations section, and that was the point I wanted to make.

I can see those argument against the traditional finger protocol.  At the
very least, one could determine which accounts have not changed passwords
since the last attack attempt.

For Webfinger, though, those same security issues do not exist.  It borrows
the concept of learning information about somebody (or something), but it's
certainly not exposing the same risks.

Further, whatever risks exist for Webfinger exist with RFC 6415, largely.
The acct URI, acct link relation, and use of CORS are two new
considerations, but everything else already exists.

So for the security considerations, we need to focus on those items.  I'm
happy to add whatever folks feel we should add.

Paul