Re: consensus on :query ? from Roberto Peon on 2014-07-21 (ietf-http-wg@w3.org from July to September 2014)

From: Roberto Peon <grmocg@gmail.com>
Date: Mon, 21 Jul 2014 16:24:56 -0700
To: Adrien de Croy <adrien@qbik.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, Willy Tarreau <w@1wt.eu>, Poul-Henning Kamp <phk@phk.freebsd.dk>, Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAP+FsNcaxeEhEpQCAteQUZGn03OXTv=MR8xz9nLZVDSU9nf8iA@mail.gmail.com>

If the path contains:
/foo/RANDOM_NUMBER/bar

and the query contains:
q=foo&user=SOME_SECRET_ID

Then guessing:
/foo/RANDOM_NUMBER/bar?q=foo&user=SOME_SECRET_ID

is far, far FAR more difficult than guessing:
  q=foo&user=SOME_SECRET_ID
alone or
  /foo/RANDOM_NUMBER/bar
alone.


-=R


On Mon, Jul 21, 2014 at 4:21 PM, Adrien de Croy <adrien@qbik.com> wrote:

>
> I don't see how it makes any difference.  Splitting something in two
> (path?query vs. path, query) doesn't add or subtract information or alter
> entropy.  It's just a different way of parsing.
>
>
>
> ------ Original Message ------
> From: "Martin Thomson" <martin.thomson@gmail.com>
> To: "Willy Tarreau" <w@1wt.eu>
> Cc: "Roberto Peon" <grmocg@gmail.com>; "Poul-Henning Kamp" <
> phk@phk.freebsd.dk>; "Phil Hunt" <phil.hunt@oracle.com>; "Mark
> Nottingham" <mnot@mnot.net>; "HTTP Working Group" <ietf-http-wg@w3.org>
> Sent: 22/07/2014 1:20:27 a.m.
> Subject: Re: consensus on :query ?
>
>  On 21 July 2014 00:53, Willy Tarreau <w@1wt.eu> wrote:
>>
>>>
>>>  I'm not sure what you mean, we're speaking about having a single :query
>>>  for whatever follows the question mark, right ? If so, all the params
>>>  must be tried as a single block.
>>>
>>
>> Yes, but there could be cases where the combination of path and query
>> contain sufficiently high entropy in combination, but one or other
>> contains insufficient entropy on its own to resist guessing attacks.
>>
>>
>

Received on Monday, 21 July 2014 23:25:23 UTC