W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

Re: Transfer-codings, mandatory content-coding support and intermediaries

From: Albert Lunde <atlunde@panix.com>
Date: Mon, 21 Apr 2014 08:54:53 -0500
Message-ID: <5355232D.6070108@panix.com>
To: Matthew Kerwin <matthew@kerwin.net.au>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
> An alternative which I'm starting to imagine might be to use END_SEGMENT
> to delineate secret data and potentially-attacker-supplied data; that
> way we can ensure that the two sets of data never end up in the same
> DATA frame / compression context. That resolves the vulnerability I'm
> aware of introduced by compression; I don't know how to protect against
> vulnerabilities of which I'm not aware, in anything.

My impression was that attacks using compression as an oracle to reveal 
secret data in turn are driven by using JavaScript to manipulate requests.

I doubt that most web browser clients have a security model
that can reliably identify "potentially-attacker-supplied data"; too 
much of the content, including JavaScript _is_ 
potentially-attacker-supplied, and there are too many back doors from 
one context to another.
Received on Monday, 21 April 2014 13:56:00 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:30 UTC