Re: [DNSOP] Status of "let localhost be localhost"?

[Richard Barnes <rlb@ipv.sx>]

On Wed, Aug 2, 2017 at 9:18 AM, Richard Barnes <rlb@ipv.sx> wrote:

>
>
> On Wed, Aug 2, 2017 at 9:10 AM, Ted Lemon <mellon@fugue.com> wrote:
>
>> On Aug 2, 2017, at 9:02 AM, Richard Barnes <rlb@ipv.sx> wrote:
>>
>> But of course having IP addresses in URLs is both a PITA for developers
>> and an anti-pattern more generally.
>>
>>
>> While true, I would argue that this is actually a problem.   E.g., I
>> actually literally cannot surf to a link-local URL without having a DNS
>> record for it, because http://[
>> <http://%5Bfe80::1806:ec37:3d5f:9580%25en0%5D/>fe80::1806:ec37:3d5f:9
>> 580%en0]/ <http://%5Bfe80::1806:ec37:3d5f:9580%25en0%5D/> has an
>> interface identifier in it, and modern browsers consider this an
>> anti-pattern, I guess.   And you don't want to put link-local addresses in
>> DNS, even if it made sense to do so, so what is one to do?   I'm not
>> convinced that this anti-pattern is the wrong anti-pattern, but here we
>> have two examples of it being problematic, in the least.
>>
>> If "localhost" were properly defined to be loopback, then applications
>> could just hard-wire resolution, and not depend on the good graces of the
>> platform resolver.  As, for example, Firefox does with ".onion" today:
>>
>>
>> Right.   But there was actually a long discussion on why that's
>> problematic when we were doing the .onion RFC.   The reason is that one
>> can't count on any particular piece of application software correctly
>> interpreting the rightmost label.   We can write RFCs encouraging it, but
>> if I am writing a URL into a piece of HTML, I have no idea whether the
>> thing that interprets the HTML will or will not do the right thing.
>>
>
> The point you're missing here is that the application is both the thing
> relying on the definition of "localhost" and the thing empowered to enforce
> the RFC.  If the application doesn't care whether "localhost" resolves to
> anything special, then it can pass it to the platform and take its
> chances.  If it does, it can hard-wire it to loopback.
>

To address the concerns of HTML authors here:

As with any change to web semantics, this introduces a challenge for web
developers because different versions of browsers will interpret things
differently.  For example, if the W3C Secure Contexts spec changes to treat
"localhost" URLs as secure, and browsers implement that, then if you load "
http://localhost" in a new browser, it will be get access to certain APIs
that it wouldn't on earlier versions.

Two points here:

1. It's up to the browsers to make this transition fail safe, in the sense
that if you write code that depends on "localhost" being secure, then your
code will break if the browser is not going to ensure that "localhost" is
loopback.  This is what the Secure Contexts spec is for, and the gist of my
comments above.

2. Web developers have to deal with this sort of incompatibility all the
time anyway, because their sites are accessed by many different browsers
with different capabilities.

In other words, there's only breakage risk here (not security risk), only
for new things, and not any worse than web developers already have to deal
with.

And based on the feedback from web developers so far, the risk of breakage
is strongly preferred to the pain of hard-coding IP addresses.

--Richard




>
>> We just accept that as a risk with .onion because we don't have a better
>> option, but for localhost we definitely do have a better option.   That's
>> all I'm saying.
>>
>
> Using IP addresses is not a better option.
>
> --Richard
>