Re: consensus on :query ? from Roberto Peon on 2014-07-22 (ietf-http-wg@w3.org from July to September 2014)

From: Roberto Peon <grmocg@gmail.com>
Date: Mon, 21 Jul 2014 23:08:21 -0700
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Adrien de Croy <adrien@qbik.com>, Martin Thomson <martin.thomson@gmail.com>, Willy Tarreau <w@1wt.eu>, Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAP+FsNfCO34LAr9gzetXDs5=UdS2zOh8CHRn=akOpMnmnc0KCg@mail.gmail.com>

Like so: http://en.wikipedia.org/wiki/CRIME
-=R

On Mon, Jul 21, 2014 at 10:40 PM, Poul-Henning Kamp <phk@phk.freebsd.dk>
wrote:

> In message <CAP+FsNcaxeEhEpQCAteQUZGn03OXTv=
> MR8xz9nLZVDSU9nf8iA@mail.gmail.com>
> , Roberto Peon writes:
>
> >If the path contains:
> >/foo/RANDOM_NUMBER/bar
> >
> >and the query contains:
> >q=foo&user=SOME_SECRET_ID
> >
> >Then guessing:
> >/foo/RANDOM_NUMBER/bar?q=foo&user=SOME_SECRET_ID
> >
> >is far, far FAR more difficult than guessing:
> >  q=foo&user=SOME_SECRET_ID
> >alone or
> >  /foo/RANDOM_NUMBER/bar
> >alone.
>
> Only if you have an oracle to tell you that you got a hit.
>
> Could you outline exactly how this attack would work ?
>
> --
> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG         | TCP/IP since RFC 956
> FreeBSD committer       | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetence.
>

Received on Tuesday, 22 July 2014 06:08:48 UTC