« Only the paranoid survive | Main | Some weblogs »

Plausible deniability

In the IETF and W3C, the specification directive "SHOULD" is a harder specification that it sounds, or is used in the commercial sector. It means roughly "unless you have an exceptional case you MUST do this". It is not meant to provide plausible deniability. Unfortunately it can end up getting used that way.

In the current Google Accelerator kerfuffle, some people have pulled out RFC 2616 as rationale to justify current site designs. It discusses GET as SHOULD NOT be having a side-effect. Then, interpreting what RFC 2119 suggests about degrees of freedom in terms of SHOULD NOT, some people are attempting or deciding to conclude that GET can broadly have side effects, including cases that might present insecurities. Thus the GWA is in some way broken and needs to be fixed because it MUST NOT break existing apps.

An argument that said Google are breaking one side of Postel's law, even if they are working to spec would be more reasonable. Using a part of the HTTP spec post-hoc is thin justification. It's difficult to credit that app developers read the HTTP spec and concluded "it's ok for me to let people logout and delete stuff via GET!". Delta encoding as described in RFC 3229 is maybe one such exceptional case. Delete and logout clickthroughs are not.

The situation does present problems. Many of us will be mailing out directives next week asking people not to use GWA and patching httpd.conf files, but eventually we will have to consider upgrading the server apps, frameworks, and possibly the clients. That's a lot of infrastucture, but shouting Google down is not a sustainable approach - GWA won't be the last technology that does this - it's a glimpse into the future of a much more automated Web. Where this goes when proxies beging to intercept and interpret javascript, or scan applet bytecode, or manage sessions, or worst case when these things are used maliciously, is anyone's guess. What this situation does highlight is that specifications matter.

May 8, 2005 05:43 PM


Robert Sayre
(May 8, 2005 06:20 PM #)

Why do people think RFC3229 GETs are unsafe or unidemptotent? It's a lot like content negotiation, range selection, or conditional GET.

Section 4, The HTTP message-generation sequence, shows the process.