IETF Logo Mail Archive

Re: [Uri-review] ssh URI

Conrad Parker <conrad@annodex.net> Tue, 13 October 2009 03:35 UTC

Return-Path: <conrad.parker@gmail.com>
X-Original-To: uri-review@core3.amsl.com
Delivered-To: uri-review@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ABACE3A698B for <uri-review@core3.amsl.com>; Mon, 12 Oct 2009 20:35:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.488
X-Spam-Level:
X-Spam-Status: No, score=-0.488 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fr8sbXA6JJGJ for <uri-review@core3.amsl.com>; Mon, 12 Oct 2009 20:35:27 -0700 (PDT)
Received: from mail-yw0-f189.google.com (mail-yw0-f189.google.com [209.85.211.189]) by core3.amsl.com (Postfix) with ESMTP id E378D3A6844 for <uri-review@ietf.org>; Mon, 12 Oct 2009 20:35:26 -0700 (PDT)
Received: by ywh27 with SMTP id 27so2765146ywh.31 for <uri-review@ietf.org>; Mon, 12 Oct 2009 20:35:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=tw8hI698Hzv9bsFoYEqxOUkudhdU3i04azKCYMBrEYA=; b=b15YyPYlrv/fm9UEuGOcCqu5mfa+l58DcmwH684aVclnjM5BIyAcDF4ngVi3K5OvJY RAcRFc2vxjVyGi4wdraQzSSSXtfJlKIH+2xX9TEH8DbSwAk2CE5RtmejJL2y2ai8YdvD qldZv0nhME9zR2RntcYFtPcCLszthQHcak8rU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=ma4OYohxXZUVVH1JgPmjMCt72nNq3jU4KTiVqpYNGYp/4YSEf/tLyewDzUQx4eNzAj Mr5rG8ddNKKx1Brp99V40vktweNIQV5AeEikEkYs+B4A/bsPHhoWHlDac6U+kLOlo36i b95UjNpmo2V4wVqwEs8LCl5zw7ovxp6Zd/oG4=
MIME-Version: 1.0
Sender: conrad.parker@gmail.com
Received: by 10.91.28.9 with SMTP id f9mr4066626agj.89.1255404925086; Mon, 12 Oct 2009 20:35:25 -0700 (PDT)
In-Reply-To: <1255395156.5481.10083.camel@dbooth-laptop>
References: <20091009160149.GB16908@braingia.org> <1255366894.5481.8445.camel@dbooth-laptop> <5EAB4D387A4A4B7C854FBD1869729771@POCZTOWIEC> <1255395156.5481.10083.camel@dbooth-laptop>
Date: Tue, 13 Oct 2009 12:35:25 +0900
X-Google-Sender-Auth: 41a1dcf8c348aa53
Message-ID: <dba6c0830910122035t79122212qb9fa3d1ea38ab909@mail.gmail.com>
From: Conrad Parker <conrad@annodex.net>
To: David Booth <david@dbooth.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Tue, 13 Oct 2009 08:06:42 -0700
Cc: uri-review@ietf.org, uri@w3.org
Subject: Re: [Uri-review] ssh URI
X-BeenThere: uri-review@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Proposed URI Schemes <uri-review.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/uri-review>, <mailto:uri-review-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uri-review>
List-Post: <mailto:uri-review@ietf.org>
List-Help: <mailto:uri-review-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uri-review>, <mailto:uri-review-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2009 03:59:59 -0000

2009/10/13 David Booth <david@dbooth.org>:
>
> I was referring to the adoption rate for clients (such as browsers)
> recognizing these new SSH URIs and using them for their intended
> purpose.  A browser encountering a URI beginning "ssh:..." will not be
> able to do anything useful with it until it knows the special semantics
> assigned to the "ssh:" prefix.  But a browser encountering a URI
> beginning "https://sshuri.org/..." could try to dereference that URI and
> could be led to software that, once installed, *would* know to open an
> SSH connection when encountering such a URI.  This could dramatically
> improve the rate at which browsers learn how to handle these SSH URIs.
> Make sense?

Encouraging end-users to download ssh client software from a random
web site specified by a third-party web-page author, and then
(automatically) using that software to connect to the desired ssh
server ... and hoping that this is somehow secure by using an SSL/TLS
connection to access that software?

No, this does not make sense. It encourages use of untrusted ssh
client software (eg. not sourced from your operating system vendor,
unsigned etc.) so the scheme could be easily exploited by a third
party to serve an ssh client with a backdoor. Using https to access
that info/software does nothing to secure the initiation of the ssh
connection.

If anything, ssh provides a good use-case for a custom uri scheme.

Conrad.

v2.23.0 | Report a Bug | By Email