IETF Logo Mail Archive

Re: [hybi] Insight you need to know: Browsers are at fault when servers crash

John Tamplin <jat@google.com> Mon, 26 July 2010 05:12 UTC

Return-Path: <jat@google.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B43053A69DF for <hybi@core3.amsl.com>; Sun, 25 Jul 2010 22:12:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.976
X-Spam-Level:
X-Spam-Status: No, score=-101.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uUxIE6QwbU1H for <hybi@core3.amsl.com>; Sun, 25 Jul 2010 22:12:04 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id DF5E63A68A2 for <hybi@ietf.org>; Sun, 25 Jul 2010 22:12:03 -0700 (PDT)
Received: from hpaq7.eem.corp.google.com (hpaq7.eem.corp.google.com [172.25.149.7]) by smtp-out.google.com with ESMTP id o6Q5CNsN018767 for <hybi@ietf.org>; Sun, 25 Jul 2010 22:12:23 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1280121143; bh=7nRlQLb3JDSdA9a4WozCIHdfOfM=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=LPMLmk8/FYLhm7odDQYJZP35ZTpKwX7c5zFAjEW9dU3Kn+fo6nMiWhGfxp4MkIZTU dn+g3C7XN/Il2H75+d5qw==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:x-system-of-record; b=ErlRYTmCP54DSvbw3xUMgJEA51M7TGJSxUEyfHQV4fVqdxkTNc1qqF8ejuIaHzSJm koISfdISpkdsS/Qh2mSTQ==
Received: from gye5 (gye5.prod.google.com [10.243.50.5]) by hpaq7.eem.corp.google.com with ESMTP id o6Q5CMn5020514 for <hybi@ietf.org>; Sun, 25 Jul 2010 22:12:22 -0700
Received: by gye5 with SMTP id 5so928411gye.39 for <hybi@ietf.org>; Sun, 25 Jul 2010 22:12:22 -0700 (PDT)
Received: by 10.150.2.11 with SMTP id 11mr8293113ybb.257.1280121142106; Sun, 25 Jul 2010 22:12:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.151.60.3 with HTTP; Sun, 25 Jul 2010 22:12:02 -0700 (PDT)
In-Reply-To: <8B47440C-7CFD-442F-94E3-96A8EBE7D25D@apple.com>
References: <AANLkTilfxps1wWjFrwrH_3Js6Q9E331AMKFRNHfeHcdL@mail.gmail.com> <AANLkTi=vPAnnK0=gE=YN10vt9b-f6sWXXcwK+La5SriO@mail.gmail.com> <623C6D70-B4AF-49EC-BA07-6F90BD0FFFBF@apple.com> <AANLkTi=Q-PVrdaWuOu3H=wUiphe6JB4C+LauSOXKozoY@mail.gmail.com> <AANLkTi=Z-Zw3gJAdwQMAqG5UUVnV_kgsGm3M_qQ2Bwt7@mail.gmail.com> <8B47440C-7CFD-442F-94E3-96A8EBE7D25D@apple.com>
From: John Tamplin <jat@google.com>
Date: Mon, 26 Jul 2010 01:12:02 -0400
Message-ID: <AANLkTimRo_ubic96z3VgwexiOw0KJg10HQedmcuBs6jp@mail.gmail.com>
To: Maciej Stachowiak <mjs@apple.com>
Content-Type: multipart/alternative; boundary="000e0cd40582f1dca5048c436d42"
X-System-Of-Record: true
Cc: hybi@ietf.org
Subject: Re: [hybi] Insight you need to know: Browsers are at fault when servers crash
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jul 2010 05:12:07 -0000

On Mon, Jul 26, 2010 at 1:03 AM, Maciej Stachowiak <mjs@apple.com> wrote:

> I think the idea here would be to use encryption solely to prevent the
> attacker from predicting either input or output bytes - in effect to
> scramble the bits, rather than to provide confidentiality.
>

Ineffective encryption doesn't really pose a barrier to producing plain text
to produce a desired cipher text.  Maybe if the key can't be controlled by
the attacker and varies on each packet, but it still seems like you are
playing with fire to say you don't have to use a secure encryption method to
prevent this.

-- 
John A. Tamplin
Software Engineer (GWT), Google

v2.23.0 | Report a Bug | By Email