Re: base64

From: Greg A. Woods (woods_at_weird.com)
Date: 09/27/03

  • Next message: security_at_sco.com: "UnixWare 7.1.3 Open UNIX 8.0.0 : Sendmail: buffer overflow in versions 8.12.8 and prior."
    Date: Sat, 27 Sep 2003 03:03:48 -0400 (EDT)
    To: "Steven M. Christey" <coley@mitre.org>
    
    

    [ On Friday, September 26, 2003 at 16:56:54 (-0400), Steven M. Christey wrote: ]
    > Subject: Re: base64
    >
    > > "Be liberal in what you accept, and conservative in what you send."
    > > -- jon
    > > RFC-1122 (originates in RFC760)
    >
    > Funny you bring up that quote, as I've been thinking about it for a
    > while now too.
    >
    > I think that's wisdom for a different time, at least security-wise.

    I don't think the so-called "Robustness Principle" was ever intended to
    trump anything to do with security.

    A I understand it the Robustness Principle is meant to guide the design
    and implementation of communications protocols in an effort to promote
    interoperability between otherwise correct and complete implementations,
    and _nothing_ more.

    The principle was most certainly not intended to guide the policies
    which sites using any given protocol implementation might impose on top
    of it.

    The Robustness Principle was certainly not meant to allow for the kind
    of "speling correction" mechanisms which are causing problems with MIME,
    HTML, and similar. Many people have made this mistake over the years,
    and some seem to continue to make this mistake, but it is none the less
    a mistake to interpret the Robustness Principle in such a way,
    especially when the result may create new risks.

    One must still be very careful to never trust unvalidated and
    un-authenticated data received from any public network connection.

    -- 
    						Greg A. Woods
    +1 416 218-0098                  VE3TCP            RoboHack <woods@robohack.ca>
    Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>
    

  • Next message: security_at_sco.com: "UnixWare 7.1.3 Open UNIX 8.0.0 : Sendmail: buffer overflow in versions 8.12.8 and prior."