On Wed, Jun 1, 2011 at 5:15 PM, Mark Nottingham <mnot@mnot.net> wrote: > On 02/06/2011, at 1:00 AM, Eran Hammer-Lahav wrote: >> This was suggested before, but are there really attack vectors for this? > > If not having a current, working attack to demonstrate is a valid way to shrug off a security concern, that's great; it'll be a useful approach to many of the discussions I have. :) > > >> The problem is that content-type is a pretty flexible header, which means normalization of the header will be required (case, parameter order, white space, etc.). > > The media type is the important part, and it's much more constrained. > > >> I would argue that if you are using MAC with body hash and an attacker changing the media type can cause harm, you should use additional methods to secure the content-type (such as making the body self-describing). > > That seems like a step backwards, considering all of the work that Adam has put into limiting the use of sniffing. Yeah, I tried to twist Eran's arm into including the media type in the body hash too. It's probably more important for responses than requests, however. AdamReceived on Thursday, 2 June 2011 01:26:53 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:41 GMT