W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

RE: consensus on :query ?

From: Richard Wheeldon (rwheeldo) <rwheeldo@cisco.com>
Date: Mon, 28 Jul 2014 09:03:25 +0000
To: James M Snell <jasnell@gmail.com>, Eric Rescorla <ekr@rtfm.com>
CC: Mark Nottingham <mnot@mnot.net>, Roberto Peon <grmocg@gmail.com>, "Phil Hunt" <phil.hunt@oracle.com>, Willy Tarreau <w@1wt.eu>, HTTP Working Group <ietf-http-wg@w3.org>, Poul-Henning Kamp <phk@phk.freebsd.dk>, Martin Thomson <martin.thomson@gmail.com>
Message-ID: <0566CA5E9B906D40B6737DD47DA9FB8F1B54F964@xmb-rcd-x04.cisco.com>
select count(1) from <yesterday’s traffic via the CWS proxy> where query like '%&password=%';

130,740

So not very hard pressed.

Richard

From: James M Snell [mailto:jasnell@gmail.com]
Sent: 21 July 2014 14:37
To: Eric Rescorla
Cc: Mark Nottingham; Roberto Peon; Phil Hunt; Willy Tarreau; HTTP Working Group; Poul-Henning Kamp; Martin Thomson
Subject: Re: consensus on :query ?


Well, hopefully we'd be hard pressed to find many real world examples of passwords in the query string, but there are many examples involving API keys and authorization tokens. These, fortunately, tend to have a greater entropy than passwords but are still quite dangerous. Whether separating them out to a new :query field makes them more vulnerable, I have no idea. Would be interesting to test.
On Jul 21, 2014 6:28 AM, "Eric Rescorla" <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:

On Mon, Jul 21, 2014 at 6:20 AM, Martin Thomson <martin.thomson@gmail.com<mailto:martin.thomson@gmail.com>> wrote:
On 21 July 2014 00:53, Willy Tarreau <w@1wt.eu<mailto:w@1wt.eu>> wrote:
>
> I'm not sure what you mean, we're speaking about having a single :query
> for whatever follows the question mark, right ? If so, all the params
> must be tried as a single block.
Yes, but there could be cases where the combination of path and query
contain sufficiently high entropy in combination, but one or other
contains insufficient entropy on its own to resist guessing attacks.

I concur with Martin's analysis

Consider the case where we have sensitive information split between the
path and the query. E.g.

https://login.example.com/ekr?<password>

If the username is unknown, this lets them be guessed independently.

-Ekr

Received on Monday, 28 July 2014 09:04:00 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:09 UTC