#tantekhowever note that the vote from Mozilla on the PR was for *approve* with or without suggested changes
#tantekso we can leave it to the Director to decide
#sandroEither we convince him, or we discuss it at sufficient length to convince ourselves he's definitely wrong.
#tantektechnically I heard we were supposed to let the Director decide anyway before making any edits, but having an edited version incorporating editorial / non-normative comments gives the Director the option to use that draft for a REC
#aaronpki'm confused about his comment. I think he means "source" here:
#aaronpk> I send you a webmention whose target is "https://intranet/"
#tantekI have not had the opportunity to follow up with hildjj since this latest misunderstanding
shepazu joined the channel
#tanteksandro, I can, because it doesn't describe the actual attack
#sandroI don't see any misunderstanding on his part. I think his concern is along the lines of the text Aaron added, but he doesn't think Aaron's text is nearly strong enough.
#tantekcould also see if Web Security IG could take a quick look
#tanteksandro, the "easy" answer is that Pingback already allows this, since it also has similar link discovery and link checking
#tantekthus if this was really a problem, we should see evidence or some instance of WordPress etc being installed in an intranet showing this problem
#sandroPingback also never made it to W3C Recommendation. I can't in good conscience recommend we proceed without giving Joe more of a chance to explain the attack he's thinking of.
#tanteksince as far as we know, no such reports about Pingback have ever been made, I'm suspicious that there's an actual novel problem here
#tanteksandro, the stronger case is that Pingback is much more widely deployed, via WordPress etc.
#tantekthat has much more bearing on relevance to security than whether or not it is a REC
#tantekattackers attack stuff that is deployed, not because it has a "W3C REC" label
#tantekso "never made it to W3C Recommendation" is not a relevant distinction from a security perspective
#sandroMaybe make that WordPress argument on issue 84?
#tantekanyway, that to me makes this extremely low risk
#tantekeven with Webmention as a REC, any attackers that thought they discovered a hole here would absolutely target Pingback first (since that's what's deployed)
#sandroIt seems reasonable that one might some day deploy webmention as application infrastructure, not just for blogging. That's always been my interest in it. And as such, it would have much more reason to be behind a firewall.
#tanteksandro, that seems like a investigate-and-fix-in-a-future version kind of thing
#aaronpkthe pingback argument is pretty solid tho. i'm sure there are plenty of blogs installed behind firewalls
#tanteksince both the use case and threat is 100% theoretical currently
#tantekaaronpk: even more so with pingback and wordpress, the pingback endpoint is typically known / knowable a priori without discovery
#tantekbecause of wordpress's particular implementation
#aaronpklike sandro said, for this attack to even have a chance of working, someone would have to configure a server to listen on the public internet and *also* have access to other servers behind the firewall
#aaronpkwhich is a known red flag when setting up a server
shepazu joined the channel
#sandroMy point is that one might be more likely to open a hole in the firewall for "W3C Webmention" than for WordPress, especially if it gets used in infrastructure. So the pingback-is-deployer-and-we've-heard-nothing is not persuasive to me.
#aaronpkwebmention doesn't use a specific port, so you'd be opening the firewall for all web traffic, which seems like a stretch to say that someone would open the firewall just for webmention
#tantekwhen no one has done anything of the sort to date? (even implemented)
#sandroI think it's probably fine, but I don't see how we can be confident enough in that assessment to override as strong a statement of concern as that from hildjj.
#tanteksandro, this is how we can be confident IMO: (added to issue)
#tantekIn summary, is there any evidence or any reasoning that demonstrates that Webmention is any more of an "attractive nuisance" than Pingback in this manner?
#tanteksandro, I also believe your example of "application infrastructure" is a bit of a stretch, since it is being published as a method of social web federation (frankly, as Pingback was)
#tantekI think it is reasonable to shift security burdens to new / novel users rather than try to anticipate all such so-far-unimplemented-uses
#tantekThough even that I would be more willing to consider if we didn't have the prior art / deployment of Pingback seeming to show that no actual threat models exist of that sort
#tanteksandro, it's worth discussing with the Director, again, within the context that this was not a f.o., but rather a "approves whether or not comments are incorporated"
#sandroJust double checked and it turns out this is academic. The deadline was 6 hours ago. " * December 14, 1200Z: Deadline for publication requests before moratorium " So we have time to sort this out with hildjj.
#tanteksandro, after all our attempts the past few weeks to determine deadlines and days before deadlines for publication, why are we only now finding out about this "December 14, 1200Z"
#tantekwhich is frankly not published anywhere either
#sandroI wasn't pushing Webmention because until the meeting yesterday it didn't look like we could make it. Then it looked like we could. I sent the official email.
#tantekwhy even put the misleading Dec 19 on the link text?
#sandroThen 4 minutes later, hildjj said No, and I'm like "hold on". That's where we are.
#sandroFeel free to complain about the title text -- that annoys me, too.
#tantekthat's plumbing thinking, instead of ux thinking
#sandroMaybe there's some kind of weekend publication thing I don't know about.
#tantekthinking as the writer rather than who is going to be reading this text
#sandroANYWAY, I think the important thing is to try to either get hildjj to sign off, or find some other process over the next two weeks to be clear his concern is overstated.
#tantekI have already complained about the date errors and poor communication (communicating Dec 19 or even a "fixed" Dec 16 in summary link text or email summary is useless to chairs because the *actual* deadline they needed to know was Dec 14 12:00Z)
#aaronpkis concerned that CORS is being thrown around as a magic solution without actually understanding the problem or how CORS actually is intended to work
#tantekso "why is CORS the wrong answer?" is itself the wrong question
#wseltzerif you can make the webserver access an intranet link, you can make it send, e.g., a crashing request to an internal gadget
#sandroI *think* I understand the question, and I think Aaron's responsive text is the best we reasonably do. CORS would be a stronger answer, but it's too strong to be practical. I explained this in my comment.
#wseltzers/access an intranet link/send an intranet request/
#aaronpkwseltzer: no that is a previously disccused problem
#sandroI think: Issue-20 is tricking someone who mentions you into doing something. Issue-84 is tricking someone by sending them a special kind of mention.
#sandroIssue-20 seemed more dangerous to me, since people behind firewalls will certainly 'mention' things outside of firewalls. I don't see the issue-84 vector, since I don't see how you could POST inward through a firewall.
#csarvenOh, I really don't care about these academic formats and try to wing it. I try to stick to the pattern above and see how far it gets me. Adding the url even is not that common in most 'papers' that I see but I do it any way because it actually ends up on my site
#csarvenThose patterns are okay for folks that work with (La)TeX because they have BibTeX etc to help them out with. I don't use any of that..