Capability URLs

Summary of the Issues

Jeni Tennison · @JeniT

Security in Web Apps

Two methods:

  1. user accounts & permissions tied to them
  2. obscure URLs no one can guess

Capability URLs

know the URL?

then you can access the content

or even do other things...

Examples

Password Resets

links sent by email

Your Dropbox password recently expired. You can reset it here.

https://www.dropbox.com/l/Q8eJH22ft0ckDJDeff1Do10/password_reset

Second Life

Registration API

Reg API capabilities represent permissions to perform certain actions.

https://cap.secondlife.com/cap/0/2897456b-6959-473e-9b94-36d8cec1b9c3

Keep your capability URLs secret! The capabilities granted to you are only meant for you. A capability URL is sensitive much like a password. Moreover, Linden Lab tracks the use of each capability.

Other Examples

  • Google Hangouts
  • Github Gists
  • Doodle polls
  • ...

Reasons

No Login Required

  • users who can't remember login
  • users who don't want to create account
  • developers who don't want to support accounts

Easy Onward Sharing

  • invite just one person in organisation
  • trust they will pass on URL to the rest
  • reduced administration

Easy Client API

  1. perform authentication
  2. request list of capability URLs
  3. use those URLs without authentication

Downsides

Risk of Exposure

URLs aren't designed to be secret

  • shown in URL bar
  • appear in proxy logs

Compromise is Hard to Handle

revoke compromised URL

vs

revoke compromised user's access

Web Architecture

Good practice: Avoiding URI aliases
A URI owner SHOULD NOT associate arbitrarily different URIs with the same resource.

restricted access → public access

capability URL → normal URL

Beyond the Single Page

require capability URLs for onward links?

Recommendations

Application Design

  • when to use capability URLs
  • alternatives to capability URLs
  • how to expire capability URLs

Canonical URLs

scenario: multiple URLs giving
different access to single document

  • how to relate capability URLs to canonical URL
    • redirections based on Referer header
    • embedded metadata in pages
  • how to transition to canonical URL once public

Capability URL Design

  • ensuring uniqueness
  • avoiding guessability
  • providing human readability

UI Design Considerations

should there be ways to hide URLs?

  • location bar
  • status bar
  • view source

Proposed Work

short best practices Recommendation

  • aimed at web developers
  • covering recommendations just outlined

Further Reading