Re: bohe and delta experimentation...
Willy Tarreau <w@1wt.eu> Fri, 18 January 2013 18:20 UTC
Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 845AF21F87B9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 18 Jan 2013 10:20:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PlVllM14EVVc for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 18 Jan 2013 10:20:00 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id F363821F84C9 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 18 Jan 2013 10:19:59 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1TwGWo-0000eF-UZ for ietf-http-wg-dist@listhub.w3.org; Fri, 18 Jan 2013 18:18:58 +0000
Resent-Date: Fri, 18 Jan 2013 18:18:58 +0000
Resent-Message-Id: <E1TwGWo-0000eF-UZ@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1TwGWl-0000da-IP for ietf-http-wg@listhub.w3.org; Fri, 18 Jan 2013 18:18:55 +0000
Received: from 1wt.eu ([62.212.114.60]) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1TwGWk-0005bk-KE for ietf-http-wg@w3.org; Fri, 18 Jan 2013 18:18:55 +0000
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id r0IIIJO6006359; Fri, 18 Jan 2013 19:18:19 +0100
Date: Fri, 18 Jan 2013 19:18:19 +0100
From: Willy Tarreau <w@1wt.eu>
To: Roberto Peon <grmocg@gmail.com>
Cc: RUELLAN Herve <Herve.Ruellan@crf.canon.fr>, Nico Williams <nico@cryptonector.com>, "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, Mark Nottingham <mnot@mnot.net>, James M Snell <jasnell@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <20130118181819.GB5037@1wt.eu>
References: <CAK3OfOj1O82WqO0L0rNpq2qeKJoT9E0ZQrV6Y=ULETtACpYMag@mail.gmail.com> <CAK3OfOgOGFNbve_QrTrCesqrrAQRH5qWgvebBxAhoMD7_MjhjQ@mail.gmail.com> <0A36AEB6-09B9-462F-B2E8-90B67FE69980@mnot.net> <CAK3OfOhewuVdjxu7UUp49g8B33YZNJ_N-PkASkHLP213+8gquA@mail.gmail.com> <CAP+FsNdi4=Am7pZdKySHZESp79BzRzPaR3UGQM2dsOM-yAxBOA@mail.gmail.com> <CAP+FsNf++RVVAyqweCsGG45wWQyjRrT7LEyWbv+QOd7Z2XdXwg@mail.gmail.com> <50F8F44E.9040401@it.aoyama.ac.jp> <0D1ABADB-E17F-46D3-9B6F-5CDC99FC06B9@mnot.net> <6C71876BDCCD01488E70A2399529D5E52E13E4@ADELE.crf.canon.fr> <CAP+FsNeJG_RWNbZDvuNBn3RuYEy3bA-wKdoCVfD476kdkC+xow@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAP+FsNeJG_RWNbZDvuNBn3RuYEy3bA-wKdoCVfD476kdkC+xow@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: AWL=-2.028, BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1TwGWk-0005bk-KE 157a56adf5bba5625fd31df590e8d3ae
X-Original-To: ietf-http-wg@w3.org
Subject: Re: bohe and delta experimentation...
Archived-At: <http://www.w3.org/mid/20130118181819.GB5037@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/16010
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi Roberto, On Fri, Jan 18, 2013 at 09:22:11AM -0800, Roberto Peon wrote: > This makes URLs vulnerable to the CRIME attack, and URLs definitely do > contain sensitive information often :( > > This is true for anything which allows partial matches (I just can't figure > out how date could be sensitive, but if it could, even the encoding > suggested earlier by me would be dangerous). > > I dropped exactly this (prefix match) functionality from delta early on > because of this. If we consider that anything is sensible to the CRIME attack, then we need to go fully stateless I guess, otherwise it will be too hard to find out what is safe to reuse and what is risky :-/ Willy
- Re: bohe and delta experimentation... Adrien W. de Croy
- Re: bohe and delta experimentation... Nico Williams
- Re: bohe and delta experimentation... Nico Williams
- Re: bohe and delta experimentation... Mark Nottingham
- bohe and delta experimentation... James M Snell
- Re: bohe and delta experimentation... Mark Nottingham
- Re: bohe and delta experimentation... James M Snell
- Re: bohe and delta experimentation... Nico Williams
- Re: bohe and delta experimentation... Mark Nottingham
- Re: bohe and delta experimentation... James M Snell
- Re: bohe and delta experimentation... Roberto Peon
- Re: bohe and delta experimentation... Nico Williams
- Re: bohe and delta experimentation... Mark Nottingham
- Re: bohe and delta experimentation... Nico Williams
- Re: bohe and delta experimentation... James M Snell
- Re: bohe and delta experimentation... Roberto Peon
- Re: bohe and delta experimentation... Roberto Peon
- Re: bohe and delta experimentation... Nico Williams
- Re: bohe and delta experimentation... James M Snell
- Re: bohe and delta experimentation... Roberto Peon
- Re: bohe and delta experimentation... Mark Nottingham
- Re: bohe and delta experimentation... James M Snell
- Re: bohe and delta experimentation... Nico Williams
- Re: bohe and delta experimentation... Mark Nottingham
- Re: bohe and delta experimentation... Patrick McManus
- Re: bohe and delta experimentation... Martin Thomson
- Re: bohe and delta experimentation... Martin Thomson
- Re: bohe and delta experimentation... Poul-Henning Kamp
- RE: bohe and delta experimentation... RUELLAN Herve
- Re: bohe and delta experimentation... Frédéric Kayser
- Re: bohe and delta experimentation... Nico Williams
- Re: bohe and delta experimentation... Martin J. Dürst
- Re: bohe and delta experimentation... Martin J. Dürst
- Re: bohe and delta experimentation... Mark Nottingham
- Re: bohe and delta experimentation... Frédéric Kayser
- Re: bohe and delta experimentation... Amos Jeffries
- Re: bohe and delta experimentation... Amos Jeffries
- Re: bohe and delta experimentation... Poul-Henning Kamp
- Re: bohe and delta experimentation... Poul-Henning Kamp
- RE: bohe and delta experimentation... RUELLAN Herve
- Re: bohe and delta experimentation... Willy Tarreau
- Re: bohe and delta experimentation... Willy Tarreau
- RE: bohe and delta experimentation... Roberto Peon
- Re: bohe and delta experimentation... Willy Tarreau
- Re: bohe and delta experimentation... Martin Nilsson
- Re: bohe and delta experimentation... Roberto Peon
- Re: bohe and delta experimentation... Phillip Hallam-Baker
- Re: bohe and delta experimentation... Willy Tarreau
- RE: bohe and delta experimentation... RUELLAN Herve