Re: consensus on :query ? from Roberto Peon on 2014-07-21 (ietf-http-wg@w3.org from July to September 2014)

From: Roberto Peon <grmocg@gmail.com>
Date: Sun, 20 Jul 2014 18:33:01 -0700
To: Poul-Henning Kamp <phk@phk.freebsd.dk>
Cc: Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAP+FsNcRAXdicv_nC5xyEA2SHrUs7kzuRRffSaC-=_N=1T1Keg@mail.gmail.com>

One doesn't have to guess path + query, one only guess the query.
In some scenarios, this enhances the attacker's ability to probe.
The question is, does it do so enough for us to care.

-=R

On Sun, Jul 20, 2014 at 2:05 PM, Poul-Henning Kamp <phk@phk.freebsd.dk>
wrote:

> In message <CAP+FsNfy-3V_BRcqa1ATts7SgX=
> hqEDvtK7LjuA5iHAG3gaBEQ@mail.gmail.com>
> , Roberto Peon writes:
>
> >It could make guessing things potentially easier.
>
> Please explain ?
>
> --
> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG         | TCP/IP since RFC 956
> FreeBSD committer       | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetence.
>

Received on Monday, 21 July 2014 01:33:28 UTC