- From: Adam Barth <w3c@adambarth.com>
- Date: Mon, 6 Apr 2009 15:55:48 -0700
- To: Daniel Stenberg <daniel@haxx.se>
- Cc: Adrien de Croy <adrien@qbik.com>, Lisa Dusseault <lisa.dusseault@messagingarchitects.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Mon, Apr 6, 2009 at 3:03 PM, Daniel Stenberg <daniel@haxx.se> wrote: > On Mon, 6 Apr 2009, Adam Barth wrote: >> Here the situation is reversed. Diversity leads to increased security >> risk because mismatches in sniffing create cracks that attackers can >> exploit. > > No, that's the exact same situation as in biology. If there's a single > master race with no quirks, it will conquer them all. But if that master has > a flaw, everyone gets hit. > > Alas, if the one and only method is found to have a flaw at a future date, > *all* browsers will have that flaw (assuming all would manage to and want to > adhere to the same spec). Letting everyone do it there own way of course > make the risk of them all having the exact same flaw less likely. I understand your perspective, but in this case the security issues caused by mismatched sniffing algorithms are much more common. For example, a single byte difference in the content sniffing algorithm between the server and the client can lead to vulnerabilities. For a concrete example we found in Wikipedia's content sniffer, see Section 2.5: http://www.adambarth.com/papers/2009/barth-caballero-song.pdf Adam
Received on Monday, 6 April 2009 22:56:38 UTC