W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

Re: Questions about draft-abarth-mime-sniff-00

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 6 Apr 2009 15:55:48 -0700
Message-ID: <7789133a0904061555h18047ca6j34180f4529957053@mail.gmail.com>
To: Daniel Stenberg <daniel@haxx.se>
Cc: Adrien de Croy <adrien@qbik.com>, Lisa Dusseault <lisa.dusseault@messagingarchitects.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Mon, Apr 6, 2009 at 3:03 PM, Daniel Stenberg <daniel@haxx.se> wrote:
> On Mon, 6 Apr 2009, Adam Barth wrote:
>> Here the situation is reversed.  Diversity leads to increased security
>> risk because mismatches in sniffing create cracks that attackers can
>> exploit.
>
> No, that's the exact same situation as in biology. If there's a single
> master race with no quirks, it will conquer them all. But if that master has
> a flaw, everyone gets hit.
>
> Alas, if the one and only method is found to have a flaw at a future date,
> *all* browsers will have that flaw (assuming all would manage to and want to
> adhere to the same spec). Letting everyone do it there own way of course
> make the risk of them all having the exact same flaw less likely.

I understand your perspective, but in this case the security issues
caused by mismatched sniffing algorithms are much more common.  For
example, a single byte difference in the content sniffing algorithm
between the server and the client can lead to vulnerabilities.  For a
concrete example we found in Wikipedia's content sniffer, see Section
2.5:

http://www.adambarth.com/papers/2009/barth-caballero-song.pdf

Adam
Received on Monday, 6 April 2009 22:56:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:02 GMT