On Thu, Dec 8, 2011 at 5:07 PM, Adam Barth <w...@adambarth.com> wrote: > Keep in mind that streamed or chunked uploads will expose the ability > to exploit the BEAST vulnerability in SSL: > > http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html
Right. Specifically, it needs to be a cross-origin streamed request without significant uncontrollable headers and/or masking. > Whatever spec we end up going with should note in its security > consideration that the user agent must implement TLS 1.2 or greater to > avoid this attack. I believe it's actually TLS 1.1, since the relevant feature is explicit IVs. Or you could allow RC4, I guess. Best, -Ekr