W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: Security implications of gzip #423

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Fri, 14 Mar 2014 01:41:54 +0100
To: Martin Thomson <martin.thomson@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <6tj4i9prf2qjim0v2gh6noifh5l8iesabe@hive.bjoern.hoehrmann.de>
* Martin Thomson wrote:
>Proposed text:

>   There are demonstrable attacks on compression that exploit the
>   characteristics of the web platform (e.g., [BREACH]).  The attacker
>   induces multiple requests containing varying plaintext, observing the
>   length of the resulting ciphertext in each, which reveals a shorter
>   length when a guess about the secret is correct.

I think "web platform" is a word to be avoided; one reason is that the
second result on Google for me is "By downloading and using the Web
Platform Installer (WebPI), you agree to the  license terms and privacy
statement for WebPI." and the third "With the Microsoft Web Platform you
get more than just a powerful set of tools, servers and technologies.
You get a complete eco-system of products" and I am not sure whether at
least those two refer to the same thing. The characteristics should be
spelled out if they are important.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Friday, 14 March 2014 00:42:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:24 UTC