Re: consensus on :query ? from Roberto Peon on 2014-07-21 (ietf-http-wg@w3.org from July to September 2014)

From: Roberto Peon <grmocg@gmail.com>
Date: Sun, 20 Jul 2014 23:51:37 -0700
To: Willy Tarreau <w@1wt.eu>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAP+FsNeoCDG8FwK91ZF_emUuF2+jdDJEo6v9+5mqNuB6UrehEg@mail.gmail.com>

Don't get me wrong-- I think it'd be mostly fine.
I also think, however, that this is a piece of information which is likely
to contain sensitive information, and as a result, if we want to do
something different than we do now, we should get it reviewed.

One simple example of how this makes stuff easier-- Since the path and
query are separated, an attack that attacks the local state by acting as a
malicious mitm of TCP packets may perform more attacks before the TCP recv
window runs out.

Do I think that is a particularly strong weakness? No. However, it still
needs review.
-=R

On Sun, Jul 20, 2014 at 10:46 PM, Willy Tarreau <w@1wt.eu> wrote:

> Hi Roberto,
>
> On Sun, Jul 20, 2014 at 06:33:01PM -0700, Roberto Peon wrote:
> > One doesn't have to guess path + query, one only guess the query.
> > In some scenarios, this enhances the attacker's ability to probe.
> > The question is, does it do so enough for us to care.
>
> I don't see why it would be a trouble since the path is generally
> well known and could be considered constant. It will be retrieved
> from a link on a page, a location header, or will just be "/" or
> something like this.
>
> Willy
>
>

Received on Monday, 21 July 2014 06:52:04 UTC