RE: Questions about draft-abarth-mime-sniff-00 from Blake Frantz on 2009-04-07 (ietf-http-wg@w3.org from April to June 2009)

From: Blake Frantz <bfrantz@cisecurity.org>
Date: Mon, 6 Apr 2009 20:40:42 -0500
To: 'Adrien de Croy' <adrien@qbik.com>, Michaeljohn Clement <mj@mjclement.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <4C374A2653EB5E43AF886CE70DFC56726693C59C@34093-MBX-C03.mex07a.mlsrvr.com>

I would argue that the algorithm can't be "wrong" provided all content consumers attempting to sniff content type use the same algorithm.

I agree with Adam that, from a security perspective, we need to standardize on how content consumers determine the type of the content. The need for such convergence will continue to grow as web applications continue to take ownership of other's content.  Adam has demonstrated this in http://www.adambarth.com/papers/2009/barth-caballero-song.pdf but the same condition effects many other sites. 

Blake

-----Original Message-----
From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org] On Behalf Of Adrien de Croy
Sent: Monday, April 06, 2009 4:41 PM
To: Michaeljohn Clement
Cc: Daniel Stenberg; HTTP Working Group
Subject: Re: Questions about draft-abarth-mime-sniff-00

Michaeljohn Clement wrote:
> Daniel Stenberg wrote:
>   
>> On Mon, 6 Apr 2009, Adam Barth wrote:
>>     
>>> Here the situation is reversed.  Diversity leads to increased security
>>> risk because mismatches in sniffing create cracks that attackers can
>>> exploit.
>>>       
>> No, that's the exact same situation as in biology. If there's a single
>> master race with no quirks, it will conquer them all. But if that master
>> has a flaw, everyone gets hit.
>>     
>
> Ah, the dangers of taking an analogy too far...
>
> In biology we usually talk about whether a species survives or not.  
> The analogy fails because in browser security, having an exploitable 
> hole in one browser is unacceptable.  The goal isn't to throw a range 
> of genetic diversity against a potential extinction event and hope that 
> a few individuals make it alive out the other side; the goal is to 
> provide a secure browsing experience for *all* users.
>   
sure that's the goal.  But what if you get the algorithm wrong?  It's 
still humans designing this right?  If there is an exploit to the 
algorithm, then potentially any browser that uses it is vulnerable.

It's difficult to foresee the future.  It's also difficult to guarantee 
that the algorithm will be bullet-proof forever and withstand any attack.

The potential down-side if all browsers are found to have a 
vulnerability is difficult to estimate.  It could be enormous.

> -Michaeljohn
>
>   

-- 
Adrien de Croy - WinGate Proxy Server - http://www.wingate.com

Received on Tuesday, 7 April 2009 01:41:49 UTC