Difference between revisions of "Endpoint"

From MgmtWiki
Jump to: navigation, search
(References)
(Context)
 
(9 intermediate revisions by the same user not shown)
Line 3: Line 3:
  
 
==Context==
 
==Context==
 +
Endpoints have been defined in many standardized contexts.
 +
* [https://hl7.org/fhir/R4/endpoint.html The FHIR Resource Endpoint]
 +
*
  
 +
There are two broad classes of endpoints.
 +
# IP address
 +
## IP V4 which are of the form 123.045.067.089
 +
## IP V6
 +
# URL addresses which are converted to IP addresses by a [[DNS]]
 +
## Web addresses which use the URL scheme HTTP:// or the preferred HTTPS:// These are the ones of particular interest here.
 +
## Other application specific URL schemes, like streaming media or data-gram.
  
 
==Problem==
 
==Problem==
It has been recognized for many years that [[URL]]s (and hence [[Endpoint]]s are poor substitutes for [[Web Site]] [[Identifier]]s<ref>Jakob Nielsen, ''URL as UI'' https://www.nngroup.com/articles/url-as-ui/</ref>. Yet no one has found a such a substitute.
+
* It has been recognized for many years that [[URL]]s (and hence [[Endpoint]]s are poor substitutes for [[Web Site]] [[Identifier]]s<ref>Jakob Nielsen, ''URL as UI'' https://www.nngroup.com/articles/url-as-ui/</ref>. Yet no one has found a suitable substitute.
 +
* Many standards have been focused on setting new endpoints for every service defined by the web site.
 +
* Since endpoints are just URLs their ability to access sign in credentials or cookies is determined by policies set by the browser manufacturer or, possibly, by an administrator. These policies are subject to changes that are never explained, or even explainable, to the user.
 +
* Since endpoint policy is not under the control of the standards, there is no chance for them to make it really clear when an endpoint will be consider to be a part of the origin and thus not subject to cross-origin policies.
 +
 
 +
===Security===
 +
Like any URL access point, and device [[Endpoint]] is subject to worldwide attacks.
 +
 
 +
* [https://www.cisa.gov/news-events/alerts/2023/04/25/abuse-service-location-protocol-may-lead-dos-attacks Abuse of the Service Location Protocol (SLP, RFC 2608) may lead to DOS attacks.] (2023-04-25)
 +
 
 
==Solution==
 
==Solution==
 
A good solution is still being sought; here are some ideas:
 
A good solution is still being sought; here are some ideas:

Latest revision as of 20:28, 25 April 2023

Full Title or Meme

An Endpoint is typically a URL addressing one service of a Web Site.

Context

Endpoints have been defined in many standardized contexts.

There are two broad classes of endpoints.

  1. IP address
    1. IP V4 which are of the form 123.045.067.089
    2. IP V6
  2. URL addresses which are converted to IP addresses by a DNS
    1. Web addresses which use the URL scheme HTTP:// or the preferred HTTPS:// These are the ones of particular interest here.
    2. Other application specific URL schemes, like streaming media or data-gram.

Problem

  • It has been recognized for many years that URLs (and hence Endpoints are poor substitutes for Web Site Identifiers[1]. Yet no one has found a suitable substitute.
  • Many standards have been focused on setting new endpoints for every service defined by the web site.
  • Since endpoints are just URLs their ability to access sign in credentials or cookies is determined by policies set by the browser manufacturer or, possibly, by an administrator. These policies are subject to changes that are never explained, or even explainable, to the user.
  • Since endpoint policy is not under the control of the standards, there is no chance for them to make it really clear when an endpoint will be consider to be a part of the origin and thus not subject to cross-origin policies.

Security

Like any URL access point, and device Endpoint is subject to worldwide attacks.

Solution

A good solution is still being sought; here are some ideas:

References

  1. Jakob Nielsen, URL as UI https://www.nngroup.com/articles/url-as-ui/