About the malicious discovery issue, such an attack is impractical. This is discussed at https://www.ietf.org/archive/id/draft-ietf-6man-rfc6874bis-05.html#section-6-5 . I tried writing an address-scanning script (exploiting the fact that Windows supports a default Zone ID) and tested it on Firefox, Chrome and Edge. It's impractically slow since the search space is 2**64. (I have no intention of publishing my script and my Javascript skills are weak, but if you read the following thread, you will get the gist: https://mailarchive.ietf.org/arch/browse/ipv6/?gbt=1&q=scripting%20attacks ) The draft **does** update the ABNF and (as required by IETF process) we've validated the result. Most parsers don't seem to be written that way, however. -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/774#issuecomment-1309269580 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/774/1309269580@github.com>
Received on Wednesday, 9 November 2022 19:43:34 UTC