Re: consensus on :query ? from Phil Hunt on 2014-07-21 (ietf-http-wg@w3.org from July to September 2014)

From: Phil Hunt <phil.hunt@oracle.com>
Date: Sun, 20 Jul 2014 23:26:29 -0400
To: Roberto Peon <grmocg@gmail.com>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <BC620A23-35FF-4170-9A98-BCE3B701C5FD@oracle.com>

Not sure why one would be worse than the other guess-ability wise. 

If a header aids compression too thats good. 

Phil

> On Jul 20, 2014, at 21:33, Roberto Peon <grmocg@gmail.com> wrote:
> 
> One doesn't have to guess path + query, one only guess the query.
> In some scenarios, this enhances the attacker's ability to probe.
> The question is, does it do so enough for us to care.
> 
> -=R
> 
> 
>> On Sun, Jul 20, 2014 at 2:05 PM, Poul-Henning Kamp <phk@phk.freebsd.dk> wrote:
>> In message <CAP+FsNfy-3V_BRcqa1ATts7SgX=hqEDvtK7LjuA5iHAG3gaBEQ@mail.gmail.com>
>> , Roberto Peon writes:
>> 
>> >It could make guessing things potentially easier.
>> 
>> Please explain ?
>> 
>> --
>> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
>> phk@FreeBSD.ORG         | TCP/IP since RFC 956
>> FreeBSD committer       | BSD since 4.3-tahoe
>> Never attribute to malice what can adequately be explained by incompetence.
>

Received on Monday, 21 July 2014 03:28:21 UTC