[Bug 12316] New: We should add a checksum here to make it impossible for attackers to modify messages en-route. The HMAC-SHA1 of the cyphertext using as a key the HMAC-SHA1 of ice-key + a second salt should be sufficient. See also http://krijnhoetmer.nl/irc-logs/whatwg/20

http://www.w3.org/Bugs/Public/show_bug.cgi?id=12316

           Summary: We should add a checksum here to make it impossible
                    for attackers to modify messages en-route. The
                    HMAC-SHA1 of the cyphertext using as a key the
                    HMAC-SHA1 of ice-key + a second salt should be
                    sufficient. See also
                    http://krijnhoetmer.nl/irc-logs/whatwg/20
           Product: HTML WG
           Version: unspecified
          Platform: Other
               URL: http://www.whatwg.org/specs/web-apps/current-work/#tra
                    nsmit-a-data-packet-to-a-peer
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P3
         Component: other Hixie drafts (editor: Ian Hickson)
        AssignedTo: ian@hixie.ch
        ReportedBy: contributor@whatwg.org
         QAContact: public-html-bugzilla@w3.org
                CC: ian@hixie.ch, mike@w3.org


Specification: http://www.whatwg.org/specs/web-apps/current-work/complete.html
Section:
http://www.whatwg.org/specs/web-apps/current-work/complete.html#transmit-a-data-packet-to-a-peer

Comment:
We should add a checksum here to make it impossible for attackers to modify
messages en-route. The HMAC-SHA1 of the cyphertext using as a key the
HMAC-SHA1 of ice-key + a second salt should be sufficient. See also
http://krijnhoetmer.nl/irc-logs/whatwg/20110316#l-268 onwards.

Posted from: 76.102.14.57 by ian@hixie.ch
User agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_6; en-US)
AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.

Received on Wednesday, 16 March 2011 07:09:13 UTC