W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2011

Re: [apps-discuss] HTTP MAC Authentication Scheme

From: Adam Barth <ietf@adambarth.com>
Date: Wed, 1 Jun 2011 18:25:54 -0700
Message-ID: <BANLkTimnaYzyhkzkZJg2KBvx0R-Z-5QsFA@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Eran Hammer-Lahav <eran@hueniverse.com>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, Ben Adida <ben@adida.net>, "http-state@ietf.org" <http-state@ietf.org>, OAuth WG <oauth@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
On Wed, Jun 1, 2011 at 5:15 PM, Mark Nottingham <mnot@mnot.net> wrote:
> On 02/06/2011, at 1:00 AM, Eran Hammer-Lahav wrote:
>> This was suggested before, but are there really attack vectors for this?
> If not having a current, working attack to demonstrate is a valid way to shrug off a security concern, that's great; it'll be a useful approach to many of the discussions I have. :)
>> The problem is that content-type is a pretty flexible header, which means normalization of the header will be required (case, parameter order, white space, etc.).
> The media type is the important part, and it's much more constrained.
>> I would argue that if you are using MAC with body hash and an attacker changing the media type can cause harm, you should use additional methods to secure the content-type (such as making the body self-describing).
> That seems like a step backwards, considering all of the work that Adam has put into limiting the use of sniffing.

Yeah, I tried to twist Eran's arm into including the media type in the
body hash too.  It's probably more important for responses than
requests, however.

Received on Thursday, 2 June 2011 01:26:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:13:52 UTC