- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 21 Mar 2014 15:25:35 +0100
- To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
- CC: Bjoern Hoehrmann <derhoermi@gmx.net>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Gabriel Montenegro <gabriel.montenegro@microsoft.com>
On 2014-03-21 14:58, Nicolas Mailhot wrote: > ... >> What I don't understand is how an out-of-band signal that can be >> incorrect helps. If this is about security-related checks, you can't >> trust it anyway, no? > > In a security context if something is suspicious you block/fail/error out > and don't ask questions. > > With undefined encoding everything is suspicious so you can't act because > it may be normal. Again: what makes the out-of-band signal trustworthy? If it is used for security-related checks, and it gets trusted, then attackers *will* forge it. Best regards, Julian
Received on Friday, 21 March 2014 14:31:57 UTC