- From: Willy Tarreau <w@1wt.eu>
- Date: Fri, 18 Jan 2013 19:18:19 +0100
- To: Roberto Peon <grmocg@gmail.com>
- Cc: RUELLAN Herve <Herve.Ruellan@crf.canon.fr>, Nico Williams <nico@cryptonector.com>, Martin J. Dürst <duerst@it.aoyama.ac.jp>, Mark Nottingham <mnot@mnot.net>, James M Snell <jasnell@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Hi Roberto, On Fri, Jan 18, 2013 at 09:22:11AM -0800, Roberto Peon wrote: > This makes URLs vulnerable to the CRIME attack, and URLs definitely do > contain sensitive information often :( > > This is true for anything which allows partial matches (I just can't figure > out how date could be sensitive, but if it could, even the encoding > suggested earlier by me would be dangerous). > > I dropped exactly this (prefix match) functionality from delta early on > because of this. If we consider that anything is sensible to the CRIME attack, then we need to go fully stateless I guess, otherwise it will be too hard to find out what is safe to reuse and what is risky :-/ Willy
Received on Friday, 18 January 2013 18:18:55 UTC