Re: http+aes from Eric Rescorla on 2012-03-07 (uri@w3.org from March 2012)

From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 6 Mar 2012 17:06:03 -0800
To: Ian Hickson <ian@hixie.ch>
Cc: "Manger, James H" <James.H.Manger@team.telstra.com>, Carsten Bormann <cabo@tzi.org>, Adrien de Croy <adrien@qbik.com>, Poul-Henning Kamp <phk@phk.freebsd.dk>, Willy Tarreau <w@1wt.eu>, URI <uri@w3.org>, HTTP Working Group <ietf-http-wg@w3.org>, Anne van Kesteren <annevk@opera.com>
Message-ID: <CABcZeBMxHTugS9mRfyZEPHWXPAJF4voqXfcAZ+q=A8-cqMoqZQ@mail.gmail.com>

On Tue, Mar 6, 2012 at 4:23 PM, Ian Hickson <ian@hixie.ch> wrote:

>
>> I hope a 500 error with a response body containing javascript cannot get
>> the http+aes URL from, say, window.location.
>
> A 500 error containing JS would be garbled and so couldn't access the URL.

Ian,

If I understand your reasoning here, it's that the body of the error would be
encrypted by an unknown key and therefore the attacker cannot put chosen
JS here?

If so, that's not obviously correct. Consider the case where the header of
the content is known (e.g., because it contains meta-information about
the content). In that case, an attacker can use the properties of CTR to
produce a ciphertext that maps to a predictable plaintext, thus
mounting the attack described here.

Best,
-Ekr

Received on Wednesday, 7 March 2012 01:13:38 UTC