W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

Re: Questions about draft-abarth-mime-sniff-00

From: Bill McQuillan <McQuilWP@pobox.com>
Date: Mon, 6 Apr 2009 17:11:16 -0700
Message-ID: <19529522.20090406171116@pobox.com>
To: IETF HTTP WG <ietf-http-wg@w3.org>

On Mon, 2009-04-06, Adrien de Croy wrote:
> Michaeljohn Clement wrote:
>> Daniel Stenberg wrote:
>> Ah, the dangers of taking an analogy too far...
>> In biology we usually talk about whether a species survives or not.  
>> The analogy fails because in browser security, having an exploitable 
>> hole in one browser is unacceptable.  The goal isn't to throw a range 
>> of genetic diversity against a potential extinction event and hope that 
>> a few individuals make it alive out the other side; the goal is to 
>> provide a secure browsing experience for *all* users.
> sure that's the goal.  But what if you get the algorithm wrong?  It's 
> still humans designing this right?  If there is an exploit to the 
> algorithm, then potentially any browser that uses it is vulnerable.

> It's difficult to foresee the future.  It's also difficult to guarantee 
> that the algorithm will be bullet-proof forever and withstand any attack.

> The potential down-side if all browsers are found to have a 
> vulnerability is difficult to estimate.  It could be enormous.

Not to worry. I am sure that before all browsers have upgraded to the
standard, someone will come up with an "improved" algorithm (or think she
has) and will implement that instead since it is "just an efficiency
improvement" thus starting a fork that will quickly lead to a "new

And she won't be the only one.

Bill McQuillan <McQuilWP@pobox.com>
Received on Tuesday, 7 April 2009 00:24:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:13:39 UTC