[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Uri-review] ssh URI

To: Conrad Parker <conrad at annodex.net>
Subject: Re: [Uri-review] ssh URI
From: David Booth <david at dbooth.org>
Date: Tue, 13 Oct 2009 00:20:36 -0400
Cc: uri-review at ietf.org, uri at w3.org
Delivered-to: uri-review at core3.amsl.com
In-reply-to: <dba6c0830910122035t79122212qb9fa3d1ea38ab909 at mail.gmail.com>
List-archive: <http://www.ietf.org/mail-archive/web/uri-review>
List-help: <mailto:uri-review-request@ietf.org?subject=help>
List-id: Proposed URI Schemes <uri-review.ietf.org>
List-post: <mailto:uri-review@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/uri-review>, <mailto:uri-review-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/uri-review>, <mailto:uri-review-request@ietf.org?subject=unsubscribe>
References: <20091009160149.GB16908 at braingia.org> <1255366894.5481.8445.camel at dbooth-laptop> <5EAB4D387A4A4B7C854FBD1869729771 at POCZTOWIEC> <1255395156.5481.10083.camel at dbooth-laptop> <dba6c0830910122035t79122212qb9fa3d1ea38ab909 at mail.gmail.com>

On Tue, 2009-10-13 at 12:35 +0900, Conrad Parker wrote:
> 2009/10/13 David Booth <david at dbooth.org>:
> >
> > I was referring to the adoption rate for clients (such as browsers)
> > recognizing these new SSH URIs and using them for their intended
> > purpose.  A browser encountering a URI beginning "ssh:..." will not be
> > able to do anything useful with it until it knows the special semantics
> > assigned to the "ssh:" prefix.  But a browser encountering a URI
> > beginning "https://sshuri.org/..."; could try to dereference that URI and
> > could be led to software that, once installed, *would* know to open an
> > SSH connection when encountering such a URI.  This could dramatically
> > improve the rate at which browsers learn how to handle these SSH URIs.
> > Make sense?
> 
> Encouraging end-users to download ssh client software from a random
> web site specified by a third-party web-page author, and then
> (automatically) using that software to connect to the desired ssh
> server ... and hoping that this is somehow secure by using an SSL/TLS
> connection to access that software?

It wouldn't be a random web site, it would be the official web site of
SSH URIs!  That's no more random than mozilla.com or adobe.com, from
which software is routinely downloaded thousands of times a day.

> 
> No, this does not make sense. It encourages use of untrusted ssh
> client software (eg. not sourced from your operating system vendor,

That's a policy choice that should not be baked into the technical
design.  Making the software more difficult to obtain is a minus, not a
plus.

> unsigned etc.) 

Any such software certainly could and should be signed.

> so the scheme could be easily exploited by a third
> party to serve an ssh client with a backdoor. 

That's no different than access to *any* web site.  *Any* site can try
to serve up a trojan horse.  But that doesn't mean that there isn't
value in visiting web sites and value in making information and software
more readily available with existing mechanisms.

David Booth

> Using https to access
> that info/software does nothing to secure the initiation of the ssh
> connection.
> 
> If anything, ssh provides a good use-case for a custom uri scheme.
> 
> Conrad.
> 
> 
-- 
David Booth, Ph.D.
Cleveland Clinic (contractor)

Opinions expressed herein are those of the author and do not necessarily
reflect those of Cleveland Clinic.

References:
- [Uri-review] ssh URI
  - From: Steve Suehring
- Re: [Uri-review] ssh URI
  - From: David Booth
- Re: [Uri-review] ssh URI
  - From: Kristof Zelechovski
- Re: [Uri-review] ssh URI
  - From: David Booth
- Re: [Uri-review] ssh URI
  - From: Conrad Parker

Prev by Date: Re: [Uri-review] ssh URI
Next by Date: Re: [Uri-review] ssh URI
Previous by thread: Re: [Uri-review] ssh URI
Next by thread: Re: [Uri-review] ssh URI
Index(es):
- Date
- Thread