W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: consensus on :query ?

From: Willy Tarreau <w@1wt.eu>
Date: Mon, 21 Jul 2014 15:42:06 +0200
To: Eric Rescorla <ekr@rtfm.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, Roberto Peon <grmocg@gmail.com>, Poul-Henning Kamp <phk@phk.freebsd.dk>, Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20140721134206.GB28569@1wt.eu>
On Mon, Jul 21, 2014 at 06:24:04AM -0700, Eric Rescorla wrote:
> On Mon, Jul 21, 2014 at 6:20 AM, Martin Thomson <martin.thomson@gmail.com>
> wrote:
> 
> > On 21 July 2014 00:53, Willy Tarreau <w@1wt.eu> wrote:
> > >
> > > I'm not sure what you mean, we're speaking about having a single :query
> > > for whatever follows the question mark, right ? If so, all the params
> > > must be tried as a single block.
> >
> > Yes, but there could be cases where the combination of path and query
> > contain sufficiently high entropy in combination, but one or other
> > contains insufficient entropy on its own to resist guessing attacks.
> >
> 
> I concur with Martin's analysis
> 
> Consider the case where we have sensitive information split between the
> path and the query. E.g.
> 
> https://login.example.com/ekr?<password>
> 
> If the username is unknown, this lets them be guessed independently.

I didn't understand you were suggesting such a case, because for me "ekr"
above would be well-known as it would typically be presented on the login
page itself in the form of a link, so it would not be considered part of
the secret.

Thanks for explaining your example case at least, even if I find it hard
to find a real world case involing this and without "ekr" being already
public.

Willy
Received on Monday, 21 July 2014 13:52:15 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:09 UTC