- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 21 Mar 2014 15:54:19 +0100
- To: Nicolas Mailhot <nicolas.mailhot@laposte.net>
- CC: Bjoern Hoehrmann <derhoermi@gmx.net>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Gabriel Montenegro <gabriel.montenegro@microsoft.com>
On 2014-03-21 15:43, Nicolas Mailhot wrote: > ... > The signal is not used for security checks. The URLs are used for security > check. Discrepancies between declared encoding and url content are one > cause for suspicion. Lack of clear encoding rules does not make the whole > thing more secure, it removes one parameter to check against, and prevents > writing of other security checks due to unknown encoding fog. > > And, in theory, malware should repect 100% of all specs to avoid detection > when triggering conformance checks, but in the actual world it does not > because its aim is to work well enough for one campaign not work reliably > on all possible web sites like a full browser. And even if malware started > respecting 100% of all specs you would still win because you'd have > removed the corner cases it could try to exploit. > ... Nicolas, I'll ask again: please present a *concrete* example where the out-of-band metadata helps. This would include a description of where the request comes from, what gets on the wire, what kind of checks your code does, and what it would do differently when it gets the encoding metadata. Best regards, Julian
Received on Friday, 21 March 2014 14:54:59 UTC