Re: Questions about draft-abarth-mime-sniff-00

On Mon, Apr 6, 2009 at 3:03 PM, Daniel Stenberg <daniel@haxx.se> wrote:
> On Mon, 6 Apr 2009, Adam Barth wrote:
>> Here the situation is reversed.  Diversity leads to increased security
>> risk because mismatches in sniffing create cracks that attackers can
>> exploit.
>
> No, that's the exact same situation as in biology. If there's a single
> master race with no quirks, it will conquer them all. But if that master has
> a flaw, everyone gets hit.
>
> Alas, if the one and only method is found to have a flaw at a future date,
> *all* browsers will have that flaw (assuming all would manage to and want to
> adhere to the same spec). Letting everyone do it there own way of course
> make the risk of them all having the exact same flaw less likely.

I understand your perspective, but in this case the security issues
caused by mismatched sniffing algorithms are much more common.  For
example, a single byte difference in the content sniffing algorithm
between the server and the client can lead to vulnerabilities.  For a
concrete example we found in Wikipedia's content sniffer, see Section
2.5:

http://www.adambarth.com/papers/2009/barth-caballero-song.pdf

Adam

Received on Monday, 6 April 2009 22:56:38 UTC