Re: consensus on :query ? from Roberto Peon on 2014-07-21 (ietf-http-wg@w3.org from July to September 2014)

From: Roberto Peon <grmocg@gmail.com>
Date: Mon, 21 Jul 2014 00:14:18 -0700
To: Willy Tarreau <w@1wt.eu>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAP+FsNeg=duscxbTwg2cOOooL5tuDjYq2N9AmpmsLN-zu=rD_A@mail.gmail.com>

Assuming that query params get put into the compressor, splitting the path
off means that an attacker gets to test against all of those query-parts
with a query and *any* path.
This would be a big change in terms of security properties.

-=R


On Mon, Jul 21, 2014 at 12:04 AM, Willy Tarreau <w@1wt.eu> wrote:

> On Sun, Jul 20, 2014 at 11:51:37PM -0700, Roberto Peon wrote:
> > Don't get me wrong-- I think it'd be mostly fine.
> > I also think, however, that this is a piece of information which is
> likely
> > to contain sensitive information, and as a result, if we want to do
> > something different than we do now, we should get it reviewed.
> >
> > One simple example of how this makes stuff easier-- Since the path and
> > query are separated, an attack that attacks the local state by acting as
> a
> > malicious mitm of TCP packets may perform more attacks before the TCP
> recv
> > window runs out.
> >
> > Do I think that is a particularly strong weakness? No. However, it still
> > needs review.
>
> OK so I think we're in line then. Sure it needs to be reviewed, and I'm
> not worried either (I guess whatever can be found on it will also affect
> current state of the spec).
>
> Willy
>
>

Received on Monday, 21 July 2014 07:14:46 UTC