W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: consensus on :query ?

From: Roberto Peon <grmocg@gmail.com>
Date: Sun, 20 Jul 2014 18:33:01 -0700
Message-ID: <CAP+FsNcRAXdicv_nC5xyEA2SHrUs7kzuRRffSaC-=_N=1T1Keg@mail.gmail.com>
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
One doesn't have to guess path + query, one only guess the query.
In some scenarios, this enhances the attacker's ability to probe.
The question is, does it do so enough for us to care.

-=R


On Sun, Jul 20, 2014 at 2:05 PM, Poul-Henning Kamp <phk@phk.freebsd.dk>
wrote:

> In message <CAP+FsNfy-3V_BRcqa1ATts7SgX=
> hqEDvtK7LjuA5iHAG3gaBEQ@mail.gmail.com>
> , Roberto Peon writes:
>
> >It could make guessing things potentially easier.
>
> Please explain ?
>
> --
> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG         | TCP/IP since RFC 956
> FreeBSD committer       | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetence.
>
Received on Monday, 21 July 2014 01:33:28 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:09 UTC