[whatwg] validate attribute in <A>

James Graham jg307 at cam.ac.uk
Wed Jan 25 15:14:36 PST 2006

Mike Hoye wrote:
> [a href="http://foo.com/mozilla-i686.tgz"
>  validate="{md5}b63fcdf4863e59c93d2a29df853b6046"]
> and the client could verify as it comes in that it does at least have
> the md5sum that's advertised.  User notifications could include "no
> validation", "successfully validated" and "failed validation", and act
> according to the user's wishes in each case.

It seems to make phishing scams easier (or at least easier to make
convincing). If evilsite.com has a hacked version of Firefox accessible
via an <a validate="hash_from_hacked_firefox"> then anyone downloading
Firefox from evilsite.com will be told that the download "successfully
validated" which (misleadingly) suggests it is the real Firefox.

That doesn't leave the attribute totally useless as it would catch the
case where a trustworthy website used a mirror network which was
compromised. On balance though I don't see the security effect of this
as a net positive (but I'm not a security guy so I'm happy to be corrected).

"It seems to be a constant throughout history: In every period, people
believed things that were just ridiculous, and believed them so strongly
that you would have gotten in terrible trouble for saying otherwise."

-- http://www.paulgraham.com/say.html

More information about the whatwg mailing list