Skip to content

Commit

Permalink
[giow] (0) Add a spec for http+aes:// and https+aes:// to allow sensi…
Browse files Browse the repository at this point in the history 
…tive resources to be held on untrusted servers.

Affected topics: HTML, Security

git-svn-id: http://svn.whatwg.org/webapps@7012 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information
@Hixie
Hixie committed Mar 2, 2012
1 parent 4d9dce8 commit 2f0ac95
Show file tree
Hide file tree
Showing 3 changed files with 383 additions and 6 deletions.
128 changes: 125 additions & 3 deletions complete.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -240,7 +240,7 @@

<header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
<hgroup><h1 class=allcaps>HTML</h1>
<h2 class="no-num no-toc">Living Standard &mdash; Last Updated 29 February 2012</h2>
<h2 class="no-num no-toc">Living Standard &mdash; Last Updated 2 March 2012</h2>
</hgroup><dl><dt><strong>Web developer edition:</strong></dt>
<dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
<dt>Multiple-page version:</dt>
Expand Down Expand Up @@ -1323,7 +1323,9 @@ <h2 class="no-num no-toc">Living Standard &mdash; Last Updated 29 February 2012<
<li><a href=#application/microdata+json><span class=secno>16.7 </span><code>application/microdata+json</code></a></li>
<li><a href=#ping-from><span class=secno>16.8 </span><code>Ping-From</code></a></li>
<li><a href=#ping-to><span class=secno>16.9 </span><code>Ping-To</code></a></li>
<li><a href=#web+-scheme-prefix><span class=secno>16.10 </span><code>web+</code> scheme prefix</a></ol></li>
<li><a href=#http+aes-scheme><span class=secno>16.10 </span><code>http+aes</code> scheme</a></li>
<li><a href=#https+aes-scheme><span class=secno>16.11 </span><code>https+aes</code> scheme</a></li>
<li><a href=#web+-scheme-prefix><span class=secno>16.12 </span><code>web+</code> scheme prefix</a></ol></li>
<li><a class=no-num href=#index>Index</a>
<ol>
<li><a class=no-num href=#elements-1>Elements</a></li>
Expand Down Expand Up @@ -94738,7 +94740,127 @@ <h3 id=ping-from><span class=secno>16.8 </span><dfn title=http-ping-from><code>P
</dd>
<dt>Related information:</dt>
<dd>None.</dd>
</dl><!--PING--><h3 id=web+-scheme-prefix><span class=secno>16.10 </span><dfn title=scheme-web><code>web+</code> scheme prefix</dfn></h3>
</dl><!--PING--><h3 id=http+aes-scheme><span class=secno>16.10 </span><dfn title=scheme-http+aes><code>http+aes</code> scheme</dfn></h3>

<p>This section describes a URL scheme registration for the IANA URI
scheme registry. <a href=#refsRFC4395>[RFC4395]</a></p>

<dl><dt>URI scheme name:</dt>
<dd><code title="">http+aes</code></dd>
<dt>Status:</dt>
<dd>permanent</dd>
<dt>URI scheme syntax:</dt>
<dd>Same as <code title="">http</code>, with the <code title="">userinfo</code> component instead used for specifying the
decryption key. (This key is provided in the form of 16, 24, or 32
bytes encoded as ASCII and escaped as necessary using the URL
escape mechanism; it is not in the "username:password" form, and
the ":" character is not special in this component when using this
scheme.)</dd>
<dt>URI scheme semantics:</dt>
<dd>Same as <code title="">http</code>, except that the message
body must be decrypted by applying the AES-CTR algorithm using the
key specified in the URL's <code title="">userinfo</code>
component, after unescaping it from the URL syntax to bytes. If
there is no such component, or if that component, when unescaped
from the URL syntax to bytes, does not consist of exactly 16, 24,
or 32 bytes, then the user agent must act as if the resource could
not be obtained due to a network error, and may report the problem
to the user.</dd>
<dt>Encoding considerations:</dt>
<dd>Same as <code title="">http</code>, but the <code title="">userinfo</code> component represents bytes encoded using
ASCII and the URL escape mechanism.</dd>
<dt>Applications/protocols that use this URI scheme name:</dt>
<dd>Same as <code title="">http</code>.</dd>
<dt>Interoperability considerations:</dt>
<dd>Same as <code title="">http</code>, but specifically for
private resources that are hosted by untrusted intermediary servers
as in a content delivery network.</dd>
<!--ADD-TOPIC:Security-->
<dt>Security considerations:</dt>
<dd>
<p>URLs using this scheme contain sensitive information (the key
used to decrypt the referenced content) and as such should be
handled with care, e.g. only sent over TLS-encrypted connections,
and only sent to users who are authorized to access the encrypted
content.</p>
<p>User agents are encouraged to not show the key in user
interface elements where the URL is displayed: first, it's ugly
and not useful to the user; and second, it could be used to
obscure the domain name.</p>
<p>The <code title="">http+aes</code> URL scheme only enables the
<em>content</em> of a particular resource to be encrypted. Any
sensitive information held in HTTP headers is still transmitted in
the clear. The length of the resource is still visible. The rate
at which the data is transmitted is also unobscured. The name of
the resource is not hidden. If this scheme is used to obscure
private information, it is important to consider how these side
channels might leak information.</p>
<p class=example>For example, the length of a file containing
only the user's age in seconds encoded in ASCII would easily let
an attacker watching the network traffic or with access to the
system hosting the files determine if the user was less than 3
years old, less than 30 years old, or more than 30 years old, just
from the length of the file. Padding the file to ten digits
(either with trailing spaces or leading zeros) would make all ages
from zero to three hundred indistinguishable.</p>
<p class=example>Another example would be the file name.
Consider a bank where each user first downloads a "data.json"
file, which points to some other files for more data, such that
users in debt download a "debt.json" file while users in credit
download a "credit.json" file. In such a scenario, users can be
categorised by an attacker watching network traffic or with access
to the system hosting the files without the attacker ever having
to decrypt the "data.json" files.</p>
<p>The security considerations that apply to <code title="">http</code> apply as well.</p>
</dd>
<!--REMOVE-TOPIC:Security-->
<dt>Contact:</dt>
<dd>Ian Hickson &lt;ian@hixie.ch&gt;</dd>
<dt>Author/Change controller:</dt>
<dd>Ian Hickson &lt;ian@hixie.ch&gt;</dd>
<dt>References:</dt>
<dd>
The <code title="">http</code> URL scheme is defined in:
<a href=http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging>http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging</a>
</dd>
</dl><h3 id=https+aes-scheme><span class=secno>16.11 </span><dfn title=scheme-https+aes><code>https+aes</code> scheme</dfn></h3>

<p>This section describes a URL scheme registration for the IANA URI
scheme registry. <a href=#refsRFC4395>[RFC4395]</a></p>

<dl><dt>URI scheme name:</dt>
<dd><code title="">https+aes</code></dd>
<dt>Status:</dt>
<dd>permanent</dd>
<dt>URI scheme syntax:</dt>
<dd>Same as <code title="">http+aes</code>.</dd>
<dt>URI scheme semantics:</dt>
<dd>Same as <code title="">http+aes</code>.</dd>
<dt>Encoding considerations:</dt>
<dd>Same as <code title="">http+aes</code>.</dd>
<dt>Applications/protocols that use this URI scheme name:</dt>
<dd>Same as <code title="">https</code>.</dd>
<dt>Interoperability considerations:</dt>
<dd>Same as <code title="">https</code>, but specifically for
private resources that are hosted by untrusted intermediary servers
as in a content delivery network.</dd>
<!--ADD-TOPIC:Security-->
<dt>Security considerations:</dt>
<dd>
<p>The security considerations that apply to <code title="">http+aes</code> and <code title="">https</code> apply as
well.</p>
</dd>
<!--REMOVE-TOPIC:Security-->
<dt>Contact:</dt>
<dd>Ian Hickson &lt;ian@hixie.ch&gt;</dd>
<dt>Author/Change controller:</dt>
<dd>Ian Hickson &lt;ian@hixie.ch&gt;</dd>
<dt>References:</dt>
<dd>
The <code title="">https</code> URL scheme is defined in:
<a href=http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging>http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging</a>
</dd>
</dl><h3 id=web+-scheme-prefix><span class=secno>16.12 </span><dfn title=scheme-web><code>web+</code> scheme prefix</dfn></h3>

<p>This section describes a convention for use with the IANA URI
scheme registry. It does not itself register a specific scheme. <a href=#refsRFC4395>[RFC4395]</a></p>
Expand Down
128 changes: 125 additions & 3 deletions index
View file
Original file line number Diff line number Diff line change
Expand Up @@ -240,7 +240,7 @@

<header class=head id=head><p><a class=logo href=http://www.whatwg.org/><img alt=WHATWG height=101 src=/images/logo width=101></a></p>
<hgroup><h1 class=allcaps>HTML</h1>
<h2 class="no-num no-toc">Living Standard &mdash; Last Updated 29 February 2012</h2>
<h2 class="no-num no-toc">Living Standard &mdash; Last Updated 2 March 2012</h2>
</hgroup><dl><dt><strong>Web developer edition:</strong></dt>
<dd><strong><a href=http://developers.whatwg.org/>http://developers.whatwg.org/</a></strong></dd>
<dt>Multiple-page version:</dt>
Expand Down Expand Up @@ -1323,7 +1323,9 @@
<li><a href=#application/microdata+json><span class=secno>16.7 </span><code>application/microdata+json</code></a></li>
<li><a href=#ping-from><span class=secno>16.8 </span><code>Ping-From</code></a></li>
<li><a href=#ping-to><span class=secno>16.9 </span><code>Ping-To</code></a></li>
<li><a href=#web+-scheme-prefix><span class=secno>16.10 </span><code>web+</code> scheme prefix</a></ol></li>
<li><a href=#http+aes-scheme><span class=secno>16.10 </span><code>http+aes</code> scheme</a></li>
<li><a href=#https+aes-scheme><span class=secno>16.11 </span><code>https+aes</code> scheme</a></li>
<li><a href=#web+-scheme-prefix><span class=secno>16.12 </span><code>web+</code> scheme prefix</a></ol></li>
<li><a class=no-num href=#index>Index</a>
<ol>
<li><a class=no-num href=#elements-1>Elements</a></li>
Expand Down Expand Up @@ -94738,7 +94740,127 @@ if (s = prompt('What is your name?')) {
</dd>
<dt>Related information:</dt>
<dd>None.</dd>
</dl><!--PING--><h3 id=web+-scheme-prefix><span class=secno>16.10 </span><dfn title=scheme-web><code>web+</code> scheme prefix</dfn></h3>
</dl><!--PING--><h3 id=http+aes-scheme><span class=secno>16.10 </span><dfn title=scheme-http+aes><code>http+aes</code> scheme</dfn></h3>

<p>This section describes a URL scheme registration for the IANA URI
scheme registry. <a href=#refsRFC4395>[RFC4395]</a></p>

<dl><dt>URI scheme name:</dt>
<dd><code title="">http+aes</code></dd>
<dt>Status:</dt>
<dd>permanent</dd>
<dt>URI scheme syntax:</dt>
<dd>Same as <code title="">http</code>, with the <code title="">userinfo</code> component instead used for specifying the
decryption key. (This key is provided in the form of 16, 24, or 32
bytes encoded as ASCII and escaped as necessary using the URL
escape mechanism; it is not in the "username:password" form, and
the ":" character is not special in this component when using this
scheme.)</dd>
<dt>URI scheme semantics:</dt>
<dd>Same as <code title="">http</code>, except that the message
body must be decrypted by applying the AES-CTR algorithm using the
key specified in the URL's <code title="">userinfo</code>
component, after unescaping it from the URL syntax to bytes. If
there is no such component, or if that component, when unescaped
from the URL syntax to bytes, does not consist of exactly 16, 24,
or 32 bytes, then the user agent must act as if the resource could
not be obtained due to a network error, and may report the problem
to the user.</dd>
<dt>Encoding considerations:</dt>
<dd>Same as <code title="">http</code>, but the <code title="">userinfo</code> component represents bytes encoded using
ASCII and the URL escape mechanism.</dd>
<dt>Applications/protocols that use this URI scheme name:</dt>
<dd>Same as <code title="">http</code>.</dd>
<dt>Interoperability considerations:</dt>
<dd>Same as <code title="">http</code>, but specifically for
private resources that are hosted by untrusted intermediary servers
as in a content delivery network.</dd>
<!--ADD-TOPIC:Security-->
<dt>Security considerations:</dt>
<dd>
<p>URLs using this scheme contain sensitive information (the key
used to decrypt the referenced content) and as such should be
handled with care, e.g. only sent over TLS-encrypted connections,
and only sent to users who are authorized to access the encrypted
content.</p>
<p>User agents are encouraged to not show the key in user
interface elements where the URL is displayed: first, it's ugly
and not useful to the user; and second, it could be used to
obscure the domain name.</p>
<p>The <code title="">http+aes</code> URL scheme only enables the
<em>content</em> of a particular resource to be encrypted. Any
sensitive information held in HTTP headers is still transmitted in
the clear. The length of the resource is still visible. The rate
at which the data is transmitted is also unobscured. The name of
the resource is not hidden. If this scheme is used to obscure
private information, it is important to consider how these side
channels might leak information.</p>
<p class=example>For example, the length of a file containing
only the user's age in seconds encoded in ASCII would easily let
an attacker watching the network traffic or with access to the
system hosting the files determine if the user was less than 3
years old, less than 30 years old, or more than 30 years old, just
from the length of the file. Padding the file to ten digits
(either with trailing spaces or leading zeros) would make all ages
from zero to three hundred indistinguishable.</p>
<p class=example>Another example would be the file name.
Consider a bank where each user first downloads a "data.json"
file, which points to some other files for more data, such that
users in debt download a "debt.json" file while users in credit
download a "credit.json" file. In such a scenario, users can be
categorised by an attacker watching network traffic or with access
to the system hosting the files without the attacker ever having
to decrypt the "data.json" files.</p>
<p>The security considerations that apply to <code title="">http</code> apply as well.</p>
</dd>
<!--REMOVE-TOPIC:Security-->
<dt>Contact:</dt>
<dd>Ian Hickson &lt;ian@hixie.ch&gt;</dd>
<dt>Author/Change controller:</dt>
<dd>Ian Hickson &lt;ian@hixie.ch&gt;</dd>
<dt>References:</dt>
<dd>
The <code title="">http</code> URL scheme is defined in:
<a href=http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging>http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging</a>
</dd>
</dl><h3 id=https+aes-scheme><span class=secno>16.11 </span><dfn title=scheme-https+aes><code>https+aes</code> scheme</dfn></h3>

<p>This section describes a URL scheme registration for the IANA URI
scheme registry. <a href=#refsRFC4395>[RFC4395]</a></p>

<dl><dt>URI scheme name:</dt>
<dd><code title="">https+aes</code></dd>
<dt>Status:</dt>
<dd>permanent</dd>
<dt>URI scheme syntax:</dt>
<dd>Same as <code title="">http+aes</code>.</dd>
<dt>URI scheme semantics:</dt>
<dd>Same as <code title="">http+aes</code>.</dd>
<dt>Encoding considerations:</dt>
<dd>Same as <code title="">http+aes</code>.</dd>
<dt>Applications/protocols that use this URI scheme name:</dt>
<dd>Same as <code title="">https</code>.</dd>
<dt>Interoperability considerations:</dt>
<dd>Same as <code title="">https</code>, but specifically for
private resources that are hosted by untrusted intermediary servers
as in a content delivery network.</dd>
<!--ADD-TOPIC:Security-->
<dt>Security considerations:</dt>
<dd>
<p>The security considerations that apply to <code title="">http+aes</code> and <code title="">https</code> apply as
well.</p>
</dd>
<!--REMOVE-TOPIC:Security-->
<dt>Contact:</dt>
<dd>Ian Hickson &lt;ian@hixie.ch&gt;</dd>
<dt>Author/Change controller:</dt>
<dd>Ian Hickson &lt;ian@hixie.ch&gt;</dd>
<dt>References:</dt>
<dd>
The <code title="">https</code> URL scheme is defined in:
<a href=http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging>http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging</a>
</dd>
</dl><h3 id=web+-scheme-prefix><span class=secno>16.12 </span><dfn title=scheme-web><code>web+</code> scheme prefix</dfn></h3>

<p>This section describes a convention for use with the IANA URI
scheme registry. It does not itself register a specific scheme. <a href=#refsRFC4395>[RFC4395]</a></p>
Expand Down
Loading

0 comments on commit 2f0ac95

Please sign in to comment.