<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Daniel,<div class=""><br class=""></div><div class="">the word “only” makes it sound like a small issue, at least in my ears.</div><div class=""><br class=""></div><div class="">Best </div><div class=""><br class=""></div><div class="">Gerry</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 2 Sep 2020, at 13:33, Daniel-Constantin Mierla <<a href="mailto:miconda@gmail.com" class="">miconda@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252" class="">
<div class=""><p class="">Hello,<br class="">
</p>
<div class="moz-cite-prefix">On 02.09.20 12:53, Gerry | Rigatta
wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:EBEE194E-9833-4EA7-9412-F23B196243D2@rigatta.com" class="">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252" class="">
[...]
<div class=""><br class="">
</div>
<div class="">I can only guess that Maxim took offence with your
wording here, which can be understood as downplaying the risk</div>
<div class="">
<blockquote type="cite" class="">
<div class="">
<blockquote type="cite" cite="mid:CAH7qZftTyfXonBKm48LY9hQ1kfoto8_FzAxmsHBvOF854faJaw@mail.gmail.com" class="">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin: 0px 0px
0px 0.8ex; border-left-width: 1px; border-left-style:
solid; border-left-color: rgb(204, 204, 204);
padding-left: 1ex;">The <b class="">only</b> security
risk in my opinion</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote><p class="">please provide further details why is downplaying. Have you
identified another security risk? I would like to be aware of and
also let the others know. Or maybe something else is wrong in my
statement, my English is not native and likely not the best out
there, I am eager to learn from you and do better from the future.<br class="">
</p><p class="">Using custom header names to tighten or loose the security is a
per-deployment specific approach, expected that only an insider
knows it, but then such guy has probably access to more important
sensitive data (such as subscriber passwords, etc.).</p><p class="">Based on my review (I could be wrong of course, but I stated
clear is my opinion), none of the standard security related specs
were where impacted -- user authentication, routing, etc ...
that's the reason the bug lived for so long time.</p><p class="">Cheers,<br class="">
Daniel<br class="">
</p>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com/">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Funding: <a class="moz-txt-link-freetext" href="https://www.paypal.me/dcmierla">https://www.paypal.me/dcmierla</a></pre>
</div>
</div></blockquote></div><br class=""></div></body></html>