W3C home > Mailing lists > Public > public-webapps@w3.org > October to December 2011

Re: [XHR] chunked requests

From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 8 Dec 2011 17:13:50 -0800
Message-ID: <CABcZeBMTJyuVKd2V2Yr7yi5ovsMH-11WuRPe5EJkyJSyFtQjvA@mail.gmail.com>
To: Adam Barth <w3c@adambarth.com>
Cc: Jonas Sicking <jonas@sicking.cc>, Wenbo Zhu <wenboz@google.com>, public-webapps@w3.org, Ian Hickson <ian@hixie.ch>
On Thu, Dec 8, 2011 at 5:07 PM, Adam Barth <w3c@adambarth.com> wrote:
> Keep in mind that streamed or chunked uploads will expose the ability
> to exploit the BEAST vulnerability in SSL:
>
> http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html

Right. Specifically, it needs to be a cross-origin streamed request without
significant uncontrollable headers and/or masking.


> Whatever spec we end up going with should note in its security
> consideration that the user agent must implement TLS 1.2 or greater to
> avoid this attack.

I believe it's actually TLS 1.1, since the relevant feature is
explicit IVs. Or you
could allow RC4, I guess.

Best,
-Ekr
Received on Friday, 9 December 2011 01:16:13 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:49 GMT