IETF Logo Mail Archive

Re: [apps-discuss] Webfinger discussion

Andrew Sullivan <ajs@anvilwalrusden.com> Mon, 26 March 2012 15:05 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C57021E80DB for <apps-discuss@ietfa.amsl.com>; Mon, 26 Mar 2012 08:05:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HCXNg5nf7XLb for <apps-discuss@ietfa.amsl.com>; Mon, 26 Mar 2012 08:05:56 -0700 (PDT)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by ietfa.amsl.com (Postfix) with ESMTP id CA71121E80DA for <apps-discuss@ietf.org>; Mon, 26 Mar 2012 08:05:55 -0700 (PDT)
Received: from mail.yitter.info (dhcp-21ac.meeting.ietf.org [130.129.33.172]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id AEFE91ECB420 for <apps-discuss@ietf.org>; Mon, 26 Mar 2012 15:05:54 +0000 (UTC)
Date: Mon, 26 Mar 2012 11:05:57 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: apps-discuss@ietf.org
Message-ID: <20120326150556.GC3557@mail.yitter.info>
References: <053201cd0b5d$c08c80f0$41a582d0$@packetizer.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <053201cd0b5d$c08c80f0$41a582d0$@packetizer.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [apps-discuss] Webfinger discussion
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2012 15:05:56 -0000

On Mon, Mar 26, 2012 at 10:35:54AM -0400, Paul E. Jones wrote:

> > Andrew Sullivan: when I was a kid, they told us to turn off finger, so I'm
> > concerned about security
> 
> That was due to the fact the finger protocol implementations had security
> holes.  It was also possible to do things like "ln /etc/password .plan" and
> that was a bad thing :-)

That wasn't the only reason they told us this.  One of the things that
people used to worry about was that finger leaked information.  In
particular, it was an excellent way to identify targets for account
takeover: people who never logged in, and people who were in for
endless days and therefore whose account was probably often
unmonitored.

Now, I never knew whether I believed this sort of complaint, but it
was one, and the draft as it stands only just hints at the sort of
analysis that ought to be done.  It seems like this requires a much
expanded security considerations section, and that was the point I
wanted to make.

Best,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com

v2.23.0 | Report a Bug | By Email