W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2013

Re: bohe and delta experimentation...

From: Willy Tarreau <w@1wt.eu>
Date: Fri, 18 Jan 2013 19:18:19 +0100
To: Roberto Peon <grmocg@gmail.com>
Cc: RUELLAN Herve <Herve.Ruellan@crf.canon.fr>, Nico Williams <nico@cryptonector.com>, Martin J. Dürst <duerst@it.aoyama.ac.jp>, Mark Nottingham <mnot@mnot.net>, James M Snell <jasnell@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <20130118181819.GB5037@1wt.eu>
Hi Roberto,

On Fri, Jan 18, 2013 at 09:22:11AM -0800, Roberto Peon wrote:
> This makes URLs vulnerable to the CRIME attack, and URLs definitely do
> contain sensitive information often :(
> 
> This is true for anything which allows partial matches (I just can't figure
> out how date could be sensitive, but if it could, even the encoding
> suggested earlier by me would be dangerous).
> 
> I dropped exactly this (prefix match) functionality from delta early on
> because of this.

If we consider that anything is sensible to the CRIME attack, then we need
to go fully stateless I guess, otherwise it will be too hard to find out
what is safe to reuse and what is risky :-/

Willy
Received on Friday, 18 January 2013 18:18:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 18 January 2013 18:18:57 GMT