Re: [XHR] chunked requests from Eric Rescorla on 2011-12-09 (public-webapps@w3.org from October to December 2011)

From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 8 Dec 2011 17:13:50 -0800
To: Adam Barth <w3c@adambarth.com>
Cc: Jonas Sicking <jonas@sicking.cc>, Wenbo Zhu <wenboz@google.com>, public-webapps@w3.org, Ian Hickson <ian@hixie.ch>
Message-ID: <CABcZeBMTJyuVKd2V2Yr7yi5ovsMH-11WuRPe5EJkyJSyFtQjvA@mail.gmail.com>

On Thu, Dec 8, 2011 at 5:07 PM, Adam Barth <w3c@adambarth.com> wrote:
> Keep in mind that streamed or chunked uploads will expose the ability
> to exploit the BEAST vulnerability in SSL:
>
> http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html

Right. Specifically, it needs to be a cross-origin streamed request without
significant uncontrollable headers and/or masking.

> Whatever spec we end up going with should note in its security
> consideration that the user agent must implement TLS 1.2 or greater to
> avoid this attack.

I believe it's actually TLS 1.1, since the relevant feature is
explicit IVs. Or you
could allow RC4, I guess.

Best,
-Ekr

Received on Friday, 9 December 2011 01:16:13 UTC