search

ioggstream / draft-polli-resource-digests-http

THIS REPO WAS MOVED TO https://github.com/httpwg/http-extensions/
https://httpwg.org/http-extensions/draft-ietf-httpbis-digest-headers.html
Other
0 stars 1 forks source link

Sign content-length to mitigate length-extension attacks #38

Closed ioggstream closed 5 years ago

ioggstream commented 5 years ago

This PR

Suggests signing content-length when using digest-algorithms subject to length-extension attacks.

ioggstream commented 5 years ago

@LPardue I have been suggested this, but thinking twice this seems invalid to me.

The lenght-extension attack impacts the overall signature string and imho is not related to Digest per se.

Digest header explicitly doesn't provide Authorization, so as long as Length-Extension Attack is this one https://en.wikipedia.org/wiki/Length_extension_attack this seems invalid to me.