W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: consensus on :query ?

From: Roberto Peon <grmocg@gmail.com>
Date: Mon, 21 Jul 2014 16:36:56 -0700
Message-ID: <CAP+FsNdGc991mwWyGUtcOyr-sqBwuY+-2e_uP4Cmzjj=2Xw=dg@mail.gmail.com>
To: Adrien de Croy <adrien@qbik.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, Willy Tarreau <w@1wt.eu>, Poul-Henning Kamp <phk@phk.freebsd.dk>, Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
You're missing the nature of the attack.

The nature of the attack is to cause the client to emit packets, and to
look at the size of the packets.
If you've compressed something, then the packet (at least without padding)
is smaller.
This implies that a 3rd party can send links to the browser and, while
watching the output size, figure out when it 'hit' something in the
compression context.

The fact that the server is sending 4XXs or 5XXs, really doesn't come into
it (except that it is a hint to the server that there might be a malicious
attacker and it should set the compression context size to zero).
-=R



On Mon, Jul 21, 2014 at 4:33 PM, Adrien de Croy <adrien@qbik.com> wrote:

>
> Sorry I still don't understand.
>
> If the server needs both a correct path and correct query to provide the
> desired response, then surely you need to guess both.
>
> Or are we suggesting that path can be guessed independently because
> there's a differernt status returned for invalid query vs invalid path?
>
> In which case how does that differ from now?
>
>
> ------ Original Message ------
> From: "Roberto Peon" <grmocg@gmail.com>
> To: "Adrien de Croy" <adrien@qbik.com>
> Cc: "Martin Thomson" <martin.thomson@gmail.com>; "Willy Tarreau" <w@1wt.eu>;
> "Poul-Henning Kamp" <phk@phk.freebsd.dk>; "Phil Hunt" <
> phil.hunt@oracle.com>; "Mark Nottingham" <mnot@mnot.net>; "HTTP Working
> Group" <ietf-http-wg@w3.org>
> Sent: 22/07/2014 11:24:56 a.m.
> Subject: Re: consensus on :query ?
>
>
> If the path contains:
> /foo/RANDOM_NUMBER/bar
>
> and the query contains:
> q=foo&user=SOME_SECRET_ID
>
> Then guessing:
>  /foo/RANDOM_NUMBER/bar?q=foo&user=SOME_SECRET_ID
>
> is far, far FAR more difficult than guessing:
>    q=foo&user=SOME_SECRET_ID
> alone or
>    /foo/RANDOM_NUMBER/bar
> alone.
>
>
> -=R
>
>
> On Mon, Jul 21, 2014 at 4:21 PM, Adrien de Croy <adrien@qbik.com> wrote:
>
>>
>> I don't see how it makes any difference.  Splitting something in two
>> (path?query vs. path, query) doesn't add or subtract information or alter
>> entropy.  It's just a different way of parsing.
>>
>>
>>
>> ------ Original Message ------
>> From: "Martin Thomson" <martin.thomson@gmail.com>
>> To: "Willy Tarreau" <w@1wt.eu>
>> Cc: "Roberto Peon" <grmocg@gmail.com>; "Poul-Henning Kamp" <
>> phk@phk.freebsd.dk>; "Phil Hunt" <phil.hunt@oracle.com>; "Mark
>> Nottingham" <mnot@mnot.net>; "HTTP Working Group" <ietf-http-wg@w3.org>
>> Sent: 22/07/2014 1:20:27 a.m.
>> Subject: Re: consensus on :query ?
>>
>> On 21 July 2014 00:53, Willy Tarreau <w@1wt.eu> wrote:
>>>
>>>>
>>>>  I'm not sure what you mean, we're speaking about having a single :query
>>>>  for whatever follows the question mark, right ? If so, all the params
>>>>  must be tried as a single block.
>>>>
>>>
>>> Yes, but there could be cases where the combination of path and query
>>> contain sufficiently high entropy in combination, but one or other
>>> contains insufficient entropy on its own to resist guessing attacks.
>>>
>>>
>>
>
Received on Monday, 21 July 2014 23:37:23 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:09 UTC