Re: Transfer-codings, mandatory content-coding support and intermediaries from Albert Lunde on 2014-04-21 (ietf-http-wg@w3.org from April to June 2014)

From: Albert Lunde <atlunde@panix.com>
Date: Mon, 21 Apr 2014 08:54:53 -0500
To: Matthew Kerwin <matthew@kerwin.net.au>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <5355232D.6070108@panix.com>

> An alternative which I'm starting to imagine might be to use END_SEGMENT
> to delineate secret data and potentially-attacker-supplied data; that
> way we can ensure that the two sets of data never end up in the same
> DATA frame / compression context. That resolves the vulnerability I'm
> aware of introduced by compression; I don't know how to protect against
> vulnerabilities of which I'm not aware, in anything.

My impression was that attacks using compression as an oracle to reveal 
secret data in turn are driven by using JavaScript to manipulate requests.

I doubt that most web browser clients have a security model
that can reliably identify "potentially-attacker-supplied data"; too 
much of the content, including JavaScript _is_ 
potentially-attacker-supplied, and there are too many back doors from 
one context to another.

Received on Monday, 21 April 2014 13:56:00 UTC