Re: Circumventing Security Systems With Dubious HTTP Responses

Trevor Jim Wed, 03 Jul 2013 09:25:42 -0700

Stefan Arentz <sare...@mozilla.com> writes:

> I don’t know if this is a common technique that is used in the wild.


This is a particular example of a technique that is used in the wild.

It is a consequence of Postel's Law.  I call it a "Postel Bug".

Software that accepts "out-of-spec" inputs in order to interoperate
necessarily does so on an ad hoc basis.  So, two different
implementations can treat malformed inputs differently.  This is exactly
what is happening with the malware detection software and your software.

I've written up some other examples here:

    http://trevorjim.com/postels-law-and-network-security/
    http://trevorjim.com/postels-law-and-security-again/
    http://trevorjim.com/postels-law-is-not-for-you/

-Trevor
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security

Re: Circumventing Security Systems With Dubious HTTP Responses

Reply via email to