Skip to content

Commit

Permalink
[giow] (0) http+aes: Clarify that the nonce is zero and that thus the…
Browse files Browse the repository at this point in the history
… key must be fresh with each resource.

Affected topics: HTML, Security

git-svn-id: http://svn.whatwg.org/webapps@7014 340c8d12-0b0e-0410-8428-c7bf67bfef74
  • Loading branch information
Hixie committed Mar 5, 2012
1 parent bce905a commit 4cdad80
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 18 deletions.
16 changes: 10 additions & 6 deletions complete.html
Original file line number Diff line number Diff line change
Expand Up @@ -94760,12 +94760,12 @@ <h3 id=ping-from><span class=secno>16.8 </span><dfn title=http-ping-from><code>P
<dd>Same as <code title="">http</code>, except that the message
body must be decrypted by applying the AES-CTR algorithm using the
key specified in the URL's <code title="">userinfo</code>
component, after unescaping it from the URL syntax to bytes. If
there is no such component, or if that component, when unescaped
from the URL syntax to bytes, does not consist of exactly 16, 24,
or 32 bytes, then the user agent must act as if the resource could
not be obtained due to a network error, and may report the problem
to the user.</dd>
component, after unescaping it from the URL syntax to bytes, and
using a zero nonce. If there is no such component, or if that
component, when unescaped from the URL syntax to bytes, does not
consist of exactly 16, 24, or 32 bytes, then the user agent must
act as if the resource could not be obtained due to a network
error, and may report the problem to the user.</dd>
<dt>Encoding considerations:</dt>
<dd>Same as <code title="">http</code>, but the <code title="">userinfo</code> component represents bytes encoded using
ASCII and the URL escape mechanism.</dd>
Expand Down Expand Up @@ -94811,6 +94811,10 @@ <h3 id=ping-from><span class=secno>16.8 </span><dfn title=http-ping-from><code>P
categorised by an attacker watching network traffic or with access
to the system hosting the files without the attacker ever having
to decrypt the "data.json" files.</p>
<p>Each resource encrypted in this fashion must use a fresh key.
Otherwise, an attacker can use commonalities in the resources'
plaintexts to determine the key and decrypt all the resources
sharing a key.</p>
<p>The security considerations that apply to <code title="">http</code> apply as well.</p>
</dd>
<!--REMOVE-TOPIC:Security-->
Expand Down
16 changes: 10 additions & 6 deletions index
Original file line number Diff line number Diff line change
Expand Up @@ -94760,12 +94760,12 @@ if (s = prompt('What is your name?')) {
<dd>Same as <code title="">http</code>, except that the message
body must be decrypted by applying the AES-CTR algorithm using the
key specified in the URL's <code title="">userinfo</code>
component, after unescaping it from the URL syntax to bytes. If
there is no such component, or if that component, when unescaped
from the URL syntax to bytes, does not consist of exactly 16, 24,
or 32 bytes, then the user agent must act as if the resource could
not be obtained due to a network error, and may report the problem
to the user.</dd>
component, after unescaping it from the URL syntax to bytes, and
using a zero nonce. If there is no such component, or if that
component, when unescaped from the URL syntax to bytes, does not
consist of exactly 16, 24, or 32 bytes, then the user agent must
act as if the resource could not be obtained due to a network
error, and may report the problem to the user.</dd>
<dt>Encoding considerations:</dt>
<dd>Same as <code title="">http</code>, but the <code title="">userinfo</code> component represents bytes encoded using
ASCII and the URL escape mechanism.</dd>
Expand Down Expand Up @@ -94811,6 +94811,10 @@ if (s = prompt('What is your name?')) {
categorised by an attacker watching network traffic or with access
to the system hosting the files without the attacker ever having
to decrypt the "data.json" files.</p>
<p>Each resource encrypted in this fashion must use a fresh key.
Otherwise, an attacker can use commonalities in the resources'
plaintexts to determine the key and decrypt all the resources
sharing a key.</p>
<p>The security considerations that apply to <code title="">http</code> apply as well.</p>
</dd>
<!--REMOVE-TOPIC:Security-->
Expand Down
16 changes: 10 additions & 6 deletions source
Original file line number Diff line number Diff line change
Expand Up @@ -110632,12 +110632,12 @@ if (s = prompt('What is your name?')) {
<dd>Same as <code title="">http</code>, except that the message
body must be decrypted by applying the AES-CTR algorithm using the
key specified in the URL's <code title="">userinfo</code>
component, after unescaping it from the URL syntax to bytes. If
there is no such component, or if that component, when unescaped
from the URL syntax to bytes, does not consist of exactly 16, 24,
or 32 bytes, then the user agent must act as if the resource could
not be obtained due to a network error, and may report the problem
to the user.</dd>
component, after unescaping it from the URL syntax to bytes, and
using a zero nonce. If there is no such component, or if that
component, when unescaped from the URL syntax to bytes, does not
consist of exactly 16, 24, or 32 bytes, then the user agent must
act as if the resource could not be obtained due to a network
error, and may report the problem to the user.</dd>
<dt>Encoding considerations:</dt>
<dd>Same as <code title="">http</code>, but the <code
title="">userinfo</code> component represents bytes encoded using
Expand Down Expand Up @@ -110684,6 +110684,10 @@ if (s = prompt('What is your name?')) {
categorised by an attacker watching network traffic or with access
to the system hosting the files without the attacker ever having
to decrypt the "data.json" files.</p>
<p>Each resource encrypted in this fashion must use a fresh key.
Otherwise, an attacker can use commonalities in the resources'
plaintexts to determine the key and decrypt all the resources
sharing a key.</p>
<p>The security considerations that apply to <code
title="">http</code> apply as well.</p>
</dd>
Expand Down

0 comments on commit 4cdad80

Please sign in to comment.