[Standards-JIG] JEP-0124 HTTP binding - remove key mechanism

Ian Paterson ian.paterson at clientside.co.uk
Mon Feb 23 22:21:44 UTC 2004


PROPOSAL
We remove the key/newkey mechanism from JEP-0124 (HTTP binding).

WHY?
If people are worried about security then they SHOULD use TLS/SSL with a
minimum 64-bit random session ID.

The key/newkey mechanism is ingenious, but it is almost useless for people
concerned about security. It only protects against the most casual replay
and interjection attacks.

Although it protects "against unauthorized users interjecting packets into a
session", it does not prevent unauthorized users appending bytes to a
packet. This is only slightly harder to achieve, and it enables the same
attacks.

- Ian




More information about the Standards mailing list