Robert Hansen aka R-Snake has posted a very interesting article today over at his blog. As R-Snake states:
Whelp, we’ve talked about it, but now it’s finally possible. CSRF can now cause jail time. The FBI has begun arresting people who click on links to supposed child pornography. Now, I understand the noble pursuit, but there’s a fairly huge flaw in the old logic. I can force users to click on links anytime I want. Now here comes some interesting CSRF technology grey area. The authorities might, reasonably say, “The referrer doesn’t match.” Okay, well that’s what our good friend META refresh is for. I can force you to click on things without leaving a referring URL at all.
So now the real question is would a user with no referring URL be worthy of investigation?
I agree completely with R-Snake on this topic. While I would love taking down those trying to view child pornography, I think we should all be scared of a world where someone can simply force you to view a page through CSRF and possibly get you arrested for a very serious crime. It seems like with each new law related to technology, I get more and more scared of even using the internet. You have laws come up like this that just put people at risk of being wrongly implicated, and then you have regulatory laws and standards like PCI that are just so ambiguous it really gives companies an out to say "We did everything you told us to!" and leave their web applications grossly insecure (specifically here I'm talking about the pentesting clause which is so ambiguous, who knows if the company has actually met the mark or not).
Thanks to R-Snake for jumping on top of this and pointing this out, this is hugely important. At some point, law enforcement and the government is going to HAVE TO START TALKING TO THE SECURITY PROFESSIONALS because they are making such poor decisions with regards to laws, none of us are safe.