#social 2016-12-14

2016-12-14 UTC
tantek, timbl, shepazu, tantek_, tantek__, jasnell, KevinMarks2, KevinMarks, KjetilK_, Loqi_, KjetilK__, fabrixxm and timbl_ joined the channel
#
Loqi Aaronpk made 1 edit to [[Socialwg/2016-12-13]] https://www.w3.org/wiki/index.php?diff=100920&oldid=100909
#
Loqi Sandro made 1 edit to [[Socialwg/2016-12-13]] https://www.w3.org/wiki/index.php?diff=100921&oldid=100920
#
Loqi Sandro made 1 edit to [[Socialwg]] https://www.w3.org/wiki/index.php?diff=100923&oldid=100911
#
Loqi Benthatmustbeme made 1 edit to [[Socialwg/2016-12-13-minutes]] https://www.w3.org/wiki/index.php?diff=100922&oldid=0
#
Loqi Tantekelik made 1 edit to [[Socialwg]] https://www.w3.org/wiki/index.php?diff=100924&oldid=100923
tantek joined the channel
#
sandro tantek, aaronpk, did you notice hildjj does not consider his concern addressed? We can't reasonably proceed like this.
#
sandro cf https://github.com/w3c/webmention/issues/84
#
aaronpk what's the path forward here?
#
tantek sandro - saw that
#
tantek however note that the vote from Mozilla on the PR was for *approve* with or without suggested changes
#
tantek so we can leave it to the Director to decide
#
sandro Either we convince him, or we discuss it at sufficient length to convince ourselves he's definitely wrong.
#
tantek technically I heard we were supposed to let the Director decide anyway before making any edits, but having an edited version incorporating editorial / non-normative comments gives the Director the option to use that draft for a REC
#
aaronpk i'm confused about his comment. I think he means "source" here:
#
aaronpk > I send you a webmention whose target is "https://intranet/"
#
sandro aaronpk, yes, I assume so
#
tantek aaronpk: that's worth pointing out in the issue
#
tantek just to make sure
#
tantek since we have already had one iteration of misunderstanding
#
sandro tantek, I think you're right as far as that goes, but I don't see how the director can ignore a comment like https://github.com/w3c/webmention/issues/84#issuecomment-266861708
#
tantek I have not had the opportunity to follow up with hildjj since this latest misunderstanding
shepazu joined the channel
#
tantek sandro, I can, because it doesn't describe the actual attack
#
sandro I don't see any misunderstanding on his part. I think his concern is along the lines of the text Aaron added, but he doesn't think Aaron's text is nearly strong enough.
#
tantek could also see if Web Security IG could take a quick look
#
tantek sandro, the "easy" answer is that Pingback already allows this, since it also has similar link discovery and link checking
#
tantek thus if this was really a problem, we should see evidence or some instance of WordPress etc being installed in an intranet showing this problem
#
sandro Pingback also never made it to W3C Recommendation. I can't in good conscience recommend we proceed without giving Joe more of a chance to explain the attack he's thinking of.
#
tantek since as far as we know, no such reports about Pingback have ever been made, I'm suspicious that there's an actual novel problem here
#
tantek sandro, the stronger case is that Pingback is much more widely deployed, via WordPress etc.
#
tantek that has much more bearing on relevance to security than whether or not it is a REC
#
tantek attackers attack stuff that is deployed, not because it has a "W3C REC" label
#
tantek so "never made it to W3C Recommendation" is not a relevant distinction from a security perspective
#
sandro Maybe make that WordPress argument on issue 84?
#
tantek sandro, done
#
tantek anyway, that to me makes this extremely low risk
#
tantek even with Webmention as a REC, any attackers that thought they discovered a hole here would absolutely target Pingback first (since that's what's deployed)
#
sandro It seems reasonable that one might some day deploy webmention as application infrastructure, not just for blogging. That's always been my interest in it. And as such, it would have much more reason to be behind a firewall.
#
tantek sandro, that seems like a investigate-and-fix-in-a-future version kind of thing
#
aaronpk the pingback argument is pretty solid tho. i'm sure there are plenty of blogs installed behind firewalls
#
tantek since both the use case and threat is 100% theoretical currently
#
tantek aaronpk: even more so with pingback and wordpress, the pingback endpoint is typically known / knowable a priori without discovery
#
tantek because of wordpress's particular implementation
#
aaronpk true!
#
tantek thus attackers could just directly target the pingback endpoint of a wp install behind a firewall as well
#
tantek and even then we are not seeing this
#
aaronpk like sandro said, for this attack to even have a chance of working, someone would have to configure a server to listen on the public internet and *also* have access to other servers behind the firewall
#
aaronpk which is a known red flag when setting up a server
shepazu joined the channel
#
sandro My point is that one might be more likely to open a hole in the firewall for "W3C Webmention" than for WordPress, especially if it gets used in infrastructure. So the pingback-is-deployer-and-we've-heard-nothing is not persuasive to me.
#
sandro s/deployer/deployed/
#
tantek why do you think it is more likely?
#
aaronpk webmention doesn't use a specific port, so you'd be opening the firewall for all web traffic, which seems like a stretch to say that someone would open the firewall just for webmention
#
tantek when no one has done anything of the sort to date? (even implemented)
#
sandro I think it's probably fine, but I don't see how we can be confident enough in that assessment to override as strong a statement of concern as that from hildjj.
#
tantek sandro, this is how we can be confident IMO: (added to issue)
#
tantek In summary, is there any evidence or any reasoning that demonstrates that Webmention is any more of an "attractive nuisance" than Pingback in this manner?
#
sandro I think it'
#
tantek sandro, I also believe your example of "application infrastructure" is a bit of a stretch, since it is being published as a method of social web federation (frankly, as Pingback was)
#
tantek I think it is reasonable to shift security burdens to new / novel users rather than try to anticipate all such so-far-unimplemented-uses
#
tantek Though even that I would be more willing to consider if we didn't have the prior art / deployment of Pingback seeming to show that no actual threat models exist of that sort
#
tantek sandro, it's worth discussing with the Director, again, within the context that this was not a f.o., but rather a "approves whether or not comments are incorporated"
#
sandro Just double checked and it turns out this is academic. The deadline was 6 hours ago. " * December 14, 1200Z: Deadline for publication requests before moratorium " So we have time to sort this out with hildjj.
#
tantek aw shucks, no REC for this year :(
#
tantek sandro, after all our attempts the past few weeks to determine deadlines and days before deadlines for publication, why are we only now finding out about this "December 14, 1200Z"
#
tantek which is frankly not published anywhere either
#
tantek that's kind of unacceptable
#
tantek because it's not like we were not asking, repeatedly
#
sandro It's published at https://www.w3.org/Guide/ and in email to chairs@w3.org on 8 April and 5 December.
#
sandro And Amy was carefully watching it for getting AS2 CR2 out.
shepazu joined the channel
#
tantek sigh, https://www.w3.org/Guide/ says Dec 19. not til you click *and then read to the bottom* is there the Dec 14 12:00Z text
#
tantek that's quite buried
#
sandro I wasn't pushing Webmention because until the meeting yesterday it didn't look like we could make it. Then it looked like we could. I sent the official email.
#
tantek why even put the misleading Dec 19 on the link text?
#
sandro Then 4 minutes later, hildjj said No, and I'm like "hold on". That's where we are.
#
sandro Feel free to complain about the title text -- that annoys me, too.
#
tantek yeah I get that
#
aaronpk why did i have Dec 15th on my calendar?
#
tantek also it's kind of ridiculous to have a 4 day inexplicable gap between "last publications" and "no publications"
#
sandro December 14, 1200Z: Deadline for publication requests before moratorium
#
sandro December 19 - Jan 1: No publications
#
sandro December 15: Last publications before moratorium
#
sandro January 3, 2017: Publications resume
#
sandro It's a bit goofy.
#
sandro IMHO
#
tantek aaronpk, because that's the last day that the pub team would publish something, which requires them to have it staged the day before
#
tantek right, that makes very little sense
#
tantek why it says 19 instead of 16
#
sandro I don't understand wtf Dec 16, 17, and 18 are.
#
aaronpk weekend?
#
tantek that's plumbing thinking, instead of ux thinking
#
sandro Maybe there's some kind of weekend publication thing I don't know about.
#
tantek thinking as the writer rather than who is going to be reading this text
#
sandro ANYWAY, I think the important thing is to try to either get hildjj to sign off, or find some other process over the next two weeks to be clear his concern is overstated.
#
sandro The former being far easier, I hope.
#
tantek well that's all we can do
#
tantek I have already complained about the date errors and poor communication (communicating Dec 19 or even a "fixed" Dec 16 in summary link text or email summary is useless to chairs because the *actual* deadline they needed to know was Dec 14 12:00Z)
#
tantek complained directly to head of W3C comms
#
sandro *nod*
#
tantek because that's a process error that should not happen again
#
tantek is still in a bit of AB state of mind having just returned from a 2 day AB f2f
#
sandro I think Dec 15 would be okay, too, since at this point everyone knows they need pubreqs to be in the day before.
#
sandro But yeah
#
tantek sandro, "the day before" != 12:00Z
#
sandro I suspect it is, somewhere in the publication rules, but I don't recall.
#
tantek so Dec 15 would only be ok, if the staging deadline was Dec 14 23:59
#
aaronpk also what timezone?
#
aaronpk i always get confused about whether the deadlines are UTC or Eastern
#
tantek (presumably at least 23:59 East Coast time since that's when WBS polls e.g. charter / PR reviews expire)
#
wseltzer is looking into the security considerations; why is CORS the wrong answer?
#
tantek wseltzer: do you even understand the question? (supposed threat model)
#
tantek because none of us do
#
tantek without understanding the question, no answer can be claimed to be the correct answer
#
tantek CORS or otherwise
#
aaronpk is concerned that CORS is being thrown around as a magic solution without actually understanding the problem or how CORS actually is intended to work
#
tantek so "why is CORS the wrong answer?" is itself the wrong question
#
wseltzer if you can make the webserver access an intranet link, you can make it send, e.g., a crashing request to an internal gadget
#
sandro I *think* I understand the question, and I think Aaron's responsive text is the best we reasonably do. CORS would be a stronger answer, but it's too strong to be practical. I explained this in my comment.
#
wseltzer s/access an intranet link/send an intranet request/
#
aaronpk wseltzer: no that is a previously disccused problem
#
tantek wseltzer: thank you for looking at this
#
aaronpk discussed here: https://github.com/w3c/webmention/issues/20
#
sandro I think: Issue-20 is tricking someone who mentions you into doing something. Issue-84 is tricking someone by sending them a special kind of mention.
#
sandro Issue-20 seemed more dangerous to me, since people behind firewalls will certainly 'mention' things outside of firewalls. I don't see the issue-84 vector, since I don't see how you could POST inward through a firewall.
#
aaronpk right
#
aaronpk issue 84 requires that a machine is on both the public internet and inside a firewall
#
trackbot doesn't understand that ISSUE command.
#
aaronpk thanks trackbot
#
wseltzer thanks aaronpk
#
wseltzer right, 84 is about gaining access to and publishing something to which the attacker doesn't otherwise have access
#
wseltzer if I read it right
#
wseltzer which is the problem CORS is designed against
shepazu, jasnell and KevinMarks joined the channel
#
csarven https://www.w3.org/TR/webmention
#
Loqi [Aaron Parecki] Webmention
#
csarven http://www.hixie.ch/specs/pingback/pingback
#
csarven https://www.w3.org/TR/activitypub/
#
Loqi [Christopher Allan Webber] ActivityPub
#
csarven hmm, I though there was more to the citations from Loqi
#
csarven ok, to specref I go
#
tantek csarven, what type of citation were you looking for?
#
csarven Just academic stylish.. but the ones in w3c specs is fine too
#
csarven authors, title, year, url
#
tantek I tried to document some of that ("academic stylish") but didn't really find one I liked. In case it helps: http://microformats.org/wiki/citation-formats#styles
#
Loqi Citation Formats
#
csarven Oh, I really don't care about these academic formats and try to wing it. I try to stick to the pattern above and see how far it gets me. Adding the url even is not that common in most 'papers' that I see but I do it any way because it actually ends up on my site
#
csarven Those patterns are okay for folks that work with (La)TeX because they have BibTeX etc to help them out with. I don't use any of that..
#
csarven tantek Check out this 42 second screencast as to what dokieli is up to: https://dokie.li/#figure-dokieli-citation
#
csarven Traditional paper based stuff is dead end.. and people still beat around the bush.
jasnell and shepazu joined the channel