On Mon, Sep 15, 2014 at 11:51 AM, Stephen Kent <[email protected]> wrote: I read the rationale. Is there a good baseline of experience showing that > JSON parsers are > not very exploitable today? >
Well, increasingly, more or less every Internet facing API is JSON-over-HTTP; the amount of JSON in circulation is huge. So, nothing in the world is 100% debugged, but production JSON parsers are among the better-tested software suites in the world. It also helps that the JSON format is very stripped-down and doesn’t provide a very rich attack surface. -- - Tim Bray (If you’d like to send me a private message, see https://keybase.io/timbray)
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
