Re: consensus on :query ? from Eric Rescorla on 2014-07-21 (ietf-http-wg@w3.org from July to September 2014)

From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 21 Jul 2014 06:24:04 -0700
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>, Roberto Peon <grmocg@gmail.com>, Poul-Henning Kamp <phk@phk.freebsd.dk>, Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABcZeBM7AQ5xBTmpS3vC1q-EPY2uftAFfuUjjY5780NRVDdDTg@mail.gmail.com>

On Mon, Jul 21, 2014 at 6:20 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 21 July 2014 00:53, Willy Tarreau <w@1wt.eu> wrote:
> >
> > I'm not sure what you mean, we're speaking about having a single :query
> > for whatever follows the question mark, right ? If so, all the params
> > must be tried as a single block.
>
> Yes, but there could be cases where the combination of path and query
> contain sufficiently high entropy in combination, but one or other
> contains insufficient entropy on its own to resist guessing attacks.
>

I concur with Martin's analysis

Consider the case where we have sensitive information split between the
path and the query. E.g.

https://login.example.com/ekr?<password>

If the username is unknown, this lets them be guessed independently.

-Ekr

Received on Monday, 21 July 2014 13:25:13 UTC