W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: draft-montenegro-httpbis-uri-encoding

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 21 Mar 2014 15:54:19 +0100
Message-ID: <532C529B.8020302@gmx.de>
To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
CC: Bjoern Hoehrmann <derhoermi@gmx.net>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Gabriel Montenegro <gabriel.montenegro@microsoft.com>
On 2014-03-21 15:43, Nicolas Mailhot wrote:
> ...
> The signal is not used for security checks. The URLs are used for security
> check. Discrepancies between declared encoding and url content are one
> cause for suspicion. Lack of clear encoding rules does not make the whole
> thing more secure, it removes one parameter to check against, and prevents
> writing of other security checks due to unknown encoding fog.
>
> And, in theory, malware should repect 100% of all specs to avoid detection
> when triggering conformance checks, but in the actual world it does not
> because its aim is to work well enough for one campaign not work reliably
> on all possible web sites like a full browser. And even if malware started
> respecting 100% of all specs you would still win because you'd have
> removed the corner cases it could try to exploit.
> ...

Nicolas,

I'll ask again: please present a *concrete* example where the 
out-of-band metadata helps. This would include a description of where 
the request comes from, what gets on the wire, what kind of checks your 
code does, and what it would do differently when it gets the encoding 
metadata.

Best regards, Julian
Received on Friday, 21 March 2014 14:54:59 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:25 UTC