Re: Standardizing Firefox's Implementation of Link Fingerprints
Dave Crocker <dhc@dcrocker.net> Tue, 03 July 2007 00:44 UTC
Return-path: <discuss-bounces@apps.ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com)
by megatron.ietf.org with esmtp (Exim 4.43)
id 1I5WVl-0008V6-EE; Mon, 02 Jul 2007 20:44:57 -0400
Received: from discuss by megatron.ietf.org with local (Exim 4.43)
id 1I5WVk-0008Pj-7m for discuss-confirm+ok@megatron.ietf.org;
Mon, 02 Jul 2007 20:44:56 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org)
by megatron.ietf.org with esmtp (Exim 4.43) id 1I5WVj-0008Pb-UQ
for discuss@apps.ietf.org; Mon, 02 Jul 2007 20:44:55 -0400
Received: from sb7.songbird.com ([208.184.79.137])
by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1I5WVc-0006eI-Ov
for discuss@apps.ietf.org; Mon, 02 Jul 2007 20:44:55 -0400
Received: from [192.168.0.3] (adsl-67-127-58-184.dsl.pltn13.pacbell.net
[67.127.58.184]) (authenticated bits=0)
by sb7.songbird.com (8.12.11.20060308/8.12.11) with ESMTP id
l630iUv2024106
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Mon, 2 Jul 2007 17:44:33 -0700
Message-ID: <46899BA5.4000401@dcrocker.net>
Date: Mon, 02 Jul 2007 17:43:17 -0700
From: Dave Crocker <dhc@dcrocker.net>
Organization: Brandenburg InternetWorking
User-Agent: Thunderbird 2.0.0.4 (Windows/20070604)
MIME-Version: 1.0
To: Edward Lee <edilee@mozilla.com>
Subject: Re: Standardizing Firefox's Implementation of Link Fingerprints
References: <dc07ed930707021624h25cb377dm1feb52d4dc02c2a8@mail.gmail.com>
In-Reply-To: <dc07ed930707021624h25cb377dm1feb52d4dc02c2a8@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-SongbirdInformation: support@songbird.com for more information
X-Songbird: Clean
X-Songbird-From: dhc@dcrocker.net
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 2409bba43e9c8d580670fda8b695204a
Cc: discuss@apps.ietf.org
X-BeenThere: discuss@apps.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: dcrocker@bbiw.net
List-Id: general discussion of application-layer protocols
<discuss.apps.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/discuss>,
<mailto:discuss-request@apps.ietf.org?subject=unsubscribe>
List-Post: <mailto:discuss@apps.ietf.org>
List-Help: <mailto:discuss-request@apps.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/discuss>,
<mailto:discuss-request@apps.ietf.org?subject=subscribe>
Errors-To: discuss-bounces@apps.ietf.org
Edward Lee wrote: > For Firefox 3, there are patches [1] that implement Link Fingerprints, > which provide automatic resource verification for URIs that look like > http://site.com/file#hash(sha256:abc123) so that link providers can be > sure that end users download the exact file that the provider intended > (and not a trojaned download). Although this sounds like an entirely reasonable option to add to URLs, I'm curious just how much of a problem there is with downloads that are trojaned using the correct domain name? For this hashing to be useful, it means that either my client needs to land on a surrogate machine or the correct machine needs to be compromised. In either case, the hashing would seem to be useful, on the theory that the hash value is vetted when it is developed and is then distributed through an uncompromised path. I'm merely curious how big a problem any of this currently is? d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
- Standardizing Firefox's Implementation of Link Fi… Edward Lee
- Re: Standardizing Firefox's Implementation of Lin… Dave Crocker
- Re: Standardizing Firefox's Implementation of Lin… Edward Lee
- Re: Standardizing Firefox's Implementation of Lin… Dave Crocker
- Re: Standardizing Firefox's Implementation of Lin… Keith Moore
- Re: Standardizing Firefox's Implementation of Lin… Philip Guenther
- Re: Standardizing Firefox's Implementation of Lin… Simon Josefsson
- Re: Standardizing Firefox's Implementation of Lin… Harald Tveit Alvestrand