search

JJ / 2020-WCCI-variable-attack-surface

Paper on optimal nginx configuration for generating variable attack surfaces
GNU General Public License v3.0
3 stars 1 forks source link

Clarify how a human expert on the topic would compare to the algorithm (rev 2) #41

Open JJ opened 4 years ago

JJ commented 4 years ago

I miss the comparison with a real expert. If understood correctly, the best solution seems to be found in very early generations (if not the first). How would a human (expert on the topic) compare with the proposed algorithm.

JJ commented 4 years ago

Looking at the values in the last generation, there's only one that's consistently 0, the nosniff option. That could have been implemented by hand, but there are 700 possible configuration directives and it's impossible for a human expert to know which values are the best; even if it's "secure by default", it's impossible to know if changing a specific value will make it more secure or not. An optimization approach to both hardening and generation of multiple values is safer, and also more efficient.