If the path contains:
/foo/RANDOM_NUMBER/bar
and the query contains:
q=foo&user=SOME_SECRET_ID
Then guessing:
/foo/RANDOM_NUMBER/bar?q=foo&user=SOME_SECRET_ID
is far, far FAR more difficult than guessing:
q=foo&user=SOME_SECRET_ID
alone or
/foo/RANDOM_NUMBER/bar
alone.
-=R
On Mon, Jul 21, 2014 at 4:21 PM, Adrien de Croy <adrien@qbik.com> wrote:
>
> I don't see how it makes any difference. Splitting something in two
> (path?query vs. path, query) doesn't add or subtract information or alter
> entropy. It's just a different way of parsing.
>
>
>
> ------ Original Message ------
> From: "Martin Thomson" <martin.thomson@gmail.com>
> To: "Willy Tarreau" <w@1wt.eu>
> Cc: "Roberto Peon" <grmocg@gmail.com>; "Poul-Henning Kamp" <
> phk@phk.freebsd.dk>; "Phil Hunt" <phil.hunt@oracle.com>; "Mark
> Nottingham" <mnot@mnot.net>; "HTTP Working Group" <ietf-http-wg@w3.org>
> Sent: 22/07/2014 1:20:27 a.m.
> Subject: Re: consensus on :query ?
>
> On 21 July 2014 00:53, Willy Tarreau <w@1wt.eu> wrote:
>>
>>>
>>> I'm not sure what you mean, we're speaking about having a single :query
>>> for whatever follows the question mark, right ? If so, all the params
>>> must be tried as a single block.
>>>
>>
>> Yes, but there could be cases where the combination of path and query
>> contain sufficiently high entropy in combination, but one or other
>> contains insufficient entropy on its own to resist guessing attacks.
>>
>>
>