Re: consensus on :query ?

On Mon, Jul 21, 2014 at 6:20 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 21 July 2014 00:53, Willy Tarreau <w@1wt.eu> wrote:
> >
> > I'm not sure what you mean, we're speaking about having a single :query
> > for whatever follows the question mark, right ? If so, all the params
> > must be tried as a single block.
>
> Yes, but there could be cases where the combination of path and query
> contain sufficiently high entropy in combination, but one or other
> contains insufficient entropy on its own to resist guessing attacks.
>

I concur with Martin's analysis

Consider the case where we have sensitive information split between the
path and the query. E.g.

https://login.example.com/ekr?<password>

If the username is unknown, this lets them be guessed independently.

-Ekr

Received on Monday, 21 July 2014 13:25:13 UTC