Don't get me wrong-- I think it'd be mostly fine.
I also think, however, that this is a piece of information which is likely
to contain sensitive information, and as a result, if we want to do
something different than we do now, we should get it reviewed.
One simple example of how this makes stuff easier-- Since the path and
query are separated, an attack that attacks the local state by acting as a
malicious mitm of TCP packets may perform more attacks before the TCP recv
window runs out.
Do I think that is a particularly strong weakness? No. However, it still
needs review.
-=R
On Sun, Jul 20, 2014 at 10:46 PM, Willy Tarreau <w@1wt.eu> wrote:
> Hi Roberto,
>
> On Sun, Jul 20, 2014 at 06:33:01PM -0700, Roberto Peon wrote:
> > One doesn't have to guess path + query, one only guess the query.
> > In some scenarios, this enhances the attacker's ability to probe.
> > The question is, does it do so enough for us to care.
>
> I don't see why it would be a trouble since the path is generally
> well known and could be considered constant. It will be retrieved
> from a link on a page, a location header, or will just be "/" or
> something like this.
>
> Willy
>
>