> On 5 Jun 2017, at 6:06, Bill Cox <waywardg...@google.com> wrote: > > On Sun, Jun 4, 2017 at 4:08 PM, Benjamin Kaduk <bka...@akamai.com > <mailto:bka...@akamai.com>> wrote: > > Do we have a good example of why a non-safe HTTP request in 0-RTT would lose > specific properties required for security? If so, that seems like a good > thing to include in the TLS 1.3 spec as an example of what can go wrong. > > -Ben > > I like the example of a POST request saying "send Alice $10". It is a > request that sophisticated web services will avoid, yet many smaller and less > security savvy sites will continue to support requests like this, so I think > it is worth considering. >
I once saw a router with an HTTPS administration UI that would respond as you’d expect to: GET mainpage.html?action=rebootDevice Worse. The router was a firewall and this worked: GET mainpage.html?action=disablePolicy Yes. GET. POST also worked, but for some reason the WebUI generated POSTs. Of course, it was really secure because the GET was accompanied by a cookie, but I guess the cookie would fit in the early data. Not sure if it would survive a reboot, though. Yoav
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
