Re: consensus on :query ?

OK thanks, I missed the context.

So many mails on this list now it's impossible to do any sort of day job 
if I want to keep up with them.

hence I'm well behind.


------ Original Message ------
From: "Roberto Peon" <grmocg@gmail.com>
To: "Adrien de Croy" <adrien@qbik.com>
Cc: "Martin Thomson" <martin.thomson@gmail.com>; "Willy Tarreau" 
<w@1wt.eu>; "Poul-Henning Kamp" <phk@phk.freebsd.dk>; "Phil Hunt" 
<phil.hunt@oracle.com>; "Mark Nottingham" <mnot@mnot.net>; "HTTP Working 
Group" <ietf-http-wg@w3.org>
Sent: 22/07/2014 11:36:56 a.m.
Subject: Re: consensus on :query ?

>You're missing the nature of the attack.
>
>The nature of the attack is to cause the client to emit packets, and to 
>look at the size of the packets.
>If you've compressed something, then the packet (at least without 
>padding) is smaller.
>This implies that a 3rd party can send links to the browser and, while 
>watching the output size, figure out when it 'hit' something in the 
>compression context.
>
>The fact that the server is sending 4XXs or 5XXs, really doesn't come 
>into it (except that it is a hint to the server that there might be a 
>malicious attacker and it should set the compression context size to 
>zero).
>-=R
>
>
>
>On Mon, Jul 21, 2014 at 4:33 PM, Adrien de Croy <adrien@qbik.com> 
>wrote:
>>
>>Sorry I still don't understand.
>>
>>If the server needs both a correct path and correct query to provide 
>>the desired response, then surely you need to guess both.
>>
>>Or are we suggesting that path can be guessed independently because 
>>there's a differernt status returned for invalid query vs invalid 
>>path?
>>
>>In which case how does that differ from now?
>>
>>
>>------ Original Message ------
>>From: "Roberto Peon" <grmocg@gmail.com>
>>To: "Adrien de Croy" <adrien@qbik.com>
>>Cc: "Martin Thomson" <martin.thomson@gmail.com>; "Willy Tarreau" 
>><w@1wt.eu>; "Poul-Henning Kamp" <phk@phk.freebsd.dk>; "Phil Hunt" 
>><phil.hunt@oracle.com>; "Mark Nottingham" <mnot@mnot.net>; "HTTP 
>>Working Group" <ietf-http-wg@w3.org>
>>Sent: 22/07/2014 11:24:56 a.m.
>>Subject: Re: consensus on :query ?
>>
>>>If the path contains:
>>>/foo/RANDOM_NUMBER/bar
>>>
>>>and the query contains:
>>>q=foo&user=SOME_SECRET_ID
>>>
>>>Then guessing:
>>>/foo/RANDOM_NUMBER/bar?q=foo&user=SOME_SECRET_ID
>>>
>>>is far, far FAR more difficult than guessing:
>>>   q=foo&user=SOME_SECRET_ID
>>>alone or
>>>   /foo/RANDOM_NUMBER/bar
>>>alone.
>>>
>>>
>>>-=R
>>>
>>>
>>>On Mon, Jul 21, 2014 at 4:21 PM, Adrien de Croy <adrien@qbik.com> 
>>>wrote:
>>>>
>>>>I don't see how it makes any difference.  Splitting something in two 
>>>>(path?query vs. path, query) doesn't add or subtract information or 
>>>>alter entropy.  It's just a different way of parsing.
>>>>
>>>>
>>>>
>>>>------ Original Message ------
>>>>From: "Martin Thomson" <martin.thomson@gmail.com>
>>>>To: "Willy Tarreau" <w@1wt.eu>
>>>>Cc: "Roberto Peon" <grmocg@gmail.com>; "Poul-Henning Kamp" 
>>>><phk@phk.freebsd.dk>; "Phil Hunt" <phil.hunt@oracle.com>; "Mark 
>>>>Nottingham" <mnot@mnot.net>; "HTTP Working Group" 
>>>><ietf-http-wg@w3.org>
>>>>Sent: 22/07/2014 1:20:27 a.m.
>>>>Subject: Re: consensus on :query ?
>>>>
>>>>>On 21 July 2014 00:53, Willy Tarreau <w@1wt.eu> wrote:
>>>>>>
>>>>>>  I'm not sure what you mean, we're speaking about having a single 
>>>>>>:query
>>>>>>  for whatever follows the question mark, right ? If so, all the 
>>>>>>params
>>>>>>  must be tried as a single block.
>>>>>
>>>>>Yes, but there could be cases where the combination of path and 
>>>>>query
>>>>>contain sufficiently high entropy in combination, but one or other
>>>>>contains insufficient entropy on its own to resist guessing 
>>>>>attacks.
>>>>>
>>>>
>>>
>