- From: Mark Nottingham <mnot@mnot.net>
- Date: Thu, 2 Jun 2011 10:15:37 +1000
- To: Eran Hammer-Lahav <eran@hueniverse.com>
- Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, Ben Adida <ben@adida.net>, "http-state@ietf.org" <http-state@ietf.org>, OAuth WG <oauth@ietf.org>, "'Adam Barth (adam@adambarth.com)'" <adam@adambarth.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 02/06/2011, at 1:00 AM, Eran Hammer-Lahav wrote: > This was suggested before, but are there really attack vectors for this? If not having a current, working attack to demonstrate is a valid way to shrug off a security concern, that's great; it'll be a useful approach to many of the discussions I have. :) > The problem is that content-type is a pretty flexible header, which means normalization of the header will be required (case, parameter order, white space, etc.). The media type is the important part, and it's much more constrained. > I would argue that if you are using MAC with body hash and an attacker changing the media type can cause harm, you should use additional methods to secure the content-type (such as making the body self-describing). That seems like a step backwards, considering all of the work that Adam has put into limiting the use of sniffing. Cheers, -- Mark Nottingham http://www.mnot.net/
Received on Thursday, 2 June 2011 00:16:09 UTC