Writing

Software, technology, sysadmin war stories, and more. Feed
Sunday, October 30, 2011

In-band signalling: bad for the telco, bad for the web

In-band signalling leads to a lot of weird and interesting situations. Just look at what happened back in the days when 2600 Hz meant something special to the phone company. If you were on a call which crossed the right sort of trunk, you could make the far end drop into a state where you could pretend to be another switch. Then you could send it the right sort of tones and go exploring.

That was the essence of the blue box and it all worked because the signals used to actually control things beyond that which a customer should be able to do were right there in the channel which has been given to that same customer! Sure, now we have out-of-band ways to do that, and blasting 2600 Hz is probably just a good way to get some nice people with badges and guns to visit, but have we really learned?

Look at HTML, and the web in general. Just how many ways are there to exploit some poor web site just because someone found a way to make it convey arbitrary content? There's effectively no way to say "hey, everything in this blob is totally untrusted by me and should have no special privileges". This leads to all kinds of finger-crossing hacks and cargo-culting escaping in the hopes that you won't trip over your own shoelaces.

Obviously, when the web was a place where everything served as part of a page was put there by the creator who hacked it together by hand, this sort of thing was not a problem. If it was in your page, then you obviously knew about it, and anything bad that happened was really up to you.

Now we're in a world where content from other people has to be shoved into pages without somehow managing to acquire the privileges of the parent page. This leads to all sorts of amazing hacks, like the places which will scarf down an image, then wash it through the netpbm tools (or whatever) before serving it back to you. They do this because that "image" might actually be an applet, and by serving it, it gets in through the "same origin" door, and ... yeah. It's a mess.

I've been running into this while working on my own personal replacement for Google Reader. At the moment I'm mostly just showing titles and links to the original pages, but I would like to show the content inline at some point. This means actually accepting the HTML as presented and displaying it right on my page as if I had vetted it. The horror!

I just know I'm going to have to do some obscene things just to make sure nobody sticks a <script> chunk in one of their feeds to get stuff to run with those privileges. It's sick and twisted, it's stupid, and it should be unnecessary.

Where is the SS7 out-of-band scheme for the web? Why are we still doing the equivalent of blasting 2600 Hz at each other, hoping that nobody else will discover our magic tones? It didn't work for Ma Bell, and it doesn't work for the web.

Feh. We bring these things upon ourselves.


October 31, 2011: This post has an update.