- From: Adam Langley <agl@google.com>
- Date: Mon, 3 Nov 2014 12:06:08 -0800
- To: Mike West <mkwst@google.com>
- Cc: Mark Watson <watsonm@netflix.com>, Frederik Braun <fbraun@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Nov 3, 2014 at 11:42 AM, Mike West <mkwst@google.com> wrote: > agl@ proposed a Merkle tree approach for streaming data. I think there was > agreement that that was a reasonable approach, but no one has proposed a > delivery mechanism for the digest data that seemed like a good solution. > According to Twitter, Freddy's been looking into this recently, so maybe he > has some good ideas? :) I think Mark was suggesting that an HTTP *response* include an HMAC of the received request in order to detect modification of the request. I don't think that using a Merkle tree for streaming data is related here. (Although, if you wanted to deliver the digest data, I'd expect it to be interspersed with the content at points convenient for the UA.) In response to Mark's suggestion as I understand it: (I'm assuming that the client includes an nonce in the request otherwise lots of obvious attacks are possible.) This would break whenever any headers were added, removed or altered. Sadly, that's not uncommon in the realm of HTTP I believe. Certainly there have been cases where "firewalls" removed advertised support for gzip encoding in requests because they couldn't scan compressed responses. I imagine there's lots more situations like that. I strongly suspect that such a design would be undeployable. Cheers AGL
Received on Monday, 3 November 2014 20:06:55 UTC