Re: consensus on :query ?

OK thanks, I missed the context.

So many mails on this list now it's impossible to do any sort of day job 
if I want to keep up with them.

hence I'm well behind.

------ Original Message ------
From: "Roberto Peon" <>
To: "Adrien de Croy" <>
Cc: "Martin Thomson" <>; "Willy Tarreau" 
<>; "Poul-Henning Kamp" <>; "Phil Hunt" 
<>; "Mark Nottingham" <>; "HTTP Working 
Group" <>
Sent: 22/07/2014 11:36:56 a.m.
Subject: Re: consensus on :query ?

>You're missing the nature of the attack.
>The nature of the attack is to cause the client to emit packets, and to 
>look at the size of the packets.
>If you've compressed something, then the packet (at least without 
>padding) is smaller.
>This implies that a 3rd party can send links to the browser and, while 
>watching the output size, figure out when it 'hit' something in the 
>compression context.
>The fact that the server is sending 4XXs or 5XXs, really doesn't come 
>into it (except that it is a hint to the server that there might be a 
>malicious attacker and it should set the compression context size to 
>On Mon, Jul 21, 2014 at 4:33 PM, Adrien de Croy <> 
>>Sorry I still don't understand.
>>If the server needs both a correct path and correct query to provide 
>>the desired response, then surely you need to guess both.
>>Or are we suggesting that path can be guessed independently because 
>>there's a differernt status returned for invalid query vs invalid 
>>In which case how does that differ from now?
>>------ Original Message ------
>>From: "Roberto Peon" <>
>>To: "Adrien de Croy" <>
>>Cc: "Martin Thomson" <>; "Willy Tarreau" 
>><>; "Poul-Henning Kamp" <>; "Phil Hunt" 
>><>; "Mark Nottingham" <>; "HTTP 
>>Working Group" <>
>>Sent: 22/07/2014 11:24:56 a.m.
>>Subject: Re: consensus on :query ?
>>>If the path contains:
>>>and the query contains:
>>>Then guessing:
>>>is far, far FAR more difficult than guessing:
>>>   q=foo&user=SOME_SECRET_ID
>>>alone or
>>>   /foo/RANDOM_NUMBER/bar
>>>On Mon, Jul 21, 2014 at 4:21 PM, Adrien de Croy <> 
>>>>I don't see how it makes any difference.  Splitting something in two 
>>>>(path?query vs. path, query) doesn't add or subtract information or 
>>>>alter entropy.  It's just a different way of parsing.
>>>>------ Original Message ------
>>>>From: "Martin Thomson" <>
>>>>To: "Willy Tarreau" <>
>>>>Cc: "Roberto Peon" <>; "Poul-Henning Kamp" 
>>>><>; "Phil Hunt" <>; "Mark 
>>>>Nottingham" <>; "HTTP Working Group" 
>>>>Sent: 22/07/2014 1:20:27 a.m.
>>>>Subject: Re: consensus on :query ?
>>>>>On 21 July 2014 00:53, Willy Tarreau <> wrote:
>>>>>>  I'm not sure what you mean, we're speaking about having a single 
>>>>>>  for whatever follows the question mark, right ? If so, all the 
>>>>>>  must be tried as a single block.
>>>>>Yes, but there could be cases where the combination of path and 
>>>>>contain sufficiently high entropy in combination, but one or other
>>>>>contains insufficient entropy on its own to resist guessing 

Received on Monday, 21 July 2014 23:52:45 UTC