Malicious Links

nervuri nervuri at disroot.org
Fri Jul 16 09:55:08 BST 2021


On Thu, 2021-07-15, mbays wrote:
>Better. But I think "display" is still assuming too much about the
>client. What about audio-only clients? We could make it "present", but
>still we may find that it's too restrictive... what if a client wants to
>present only a shortened form of the URI, say without the scheme? Do we
>really want to say that it's in contravention of the spec? And so on.

"Display" is used throughout the spec.  I'm fine with using a more
general term like "present", but maybe a separate issue should be opened
for replacing all instances of "display".  And, yes, I do think clients
ought to include the scheme, especially those that support multiple
protocols; I don't see this as a blocker.

>Really, I don't think this kind of prescriptive text for the details of
>how clients should operate belongs in the spec at all.

That's what the specification is: prescriptive text for how clients
should operate.  If the text makes sense, we should add it, and this is
a small requirement that brings a big benefit, as with web browsers
using SameSite by default.

>Perhaps it would make more sense to add some general discussion about
>this issue, either to the spec or to best-practices.gmi, saying that
>clients should ensure that a client certificate is used only when it's
>clear that the user intends it to be, and pointing out these cases where
>it might not be clear (links and redirects into the scope of
>a certificate). Then let client authors decide how to implement this in
>whatever way makes most sense for their particular clients.

This would also be good.  As I wrote on GitLab, «"MUST" is what I think
makes the most sense, as it provides the most protection without any
serious downside. But if I'm wrong about that, then taking it down to
"SHOULD", or putting it into the best practices document, is still way
better than nothing.»

So, here's the next iteration of the text:

  Before following a URI which is in scope of a client certificate from
  a URI outside of that scope, clients MUST/SHOULD display the target
  URI and what client certificate would be used to connect to it.

  Doing this will help protect against Cross-Site Request Forgery
  (CSRF). It applies to:
    * following a link on a page
    * going through one or more redirects

We could expand on this with a short explanation of CSRF and maybe an
example.


More information about the Gemini mailing list