christopher@baus.net wrote:
So what do you think? Is security worth
non-compliance with the HTTP spec?
I think you are "poisoning the well" with this
statement. If following the spec entailed the
insecurity you attribute to it, then non-compliance
might be a valid position. However, I don't think you
have shown this to be the case.
There is nothing in the HTTP/1.1 spec that requires a
400 response to include unwise information disclosure,
and soliciting a 400 response is hardly the only way
to do fingerprinting or reconnaissance of the
application. Your principal argument is that 400
responses result in information disclosure that would
useful to a hacker. But the real-world problem of
information disclosure falls pretty squarely on the
shoulders of implementors and application developers,
not on the wire protocol!
The inclusion 400 response informing the user-agent
that the request was malformed is not a flaw in the
HTTP spec. If we all agreed to eliminate the 400
response and just drop connections, there would remain
more than enough opportunities for an application or
server to tell a hacker all about itself.
It is also worth pointing out that the spec does not
prevent your particular server from taking defensive
measures against the sender if you believe that a 400
response strongly indicates a malicious user. For
example you could close a persistent connection after
sending the (scrubbed?) 400 response and refuse to
process subsequent requests from the sender for some
period of time.
-Garth Somerville
__________________________________
Celebrate Yahoo!'s 10th Birthday!
Yahoo! Netrospective: 100 Moments of the Web
http://birthday.yahoo.com/netrospective/
