[httpapi] Re: HTTP->HTTPS redirects bad for API traffic?
Martin Thomson <mt@lowentropy.net> Thu, 05 September 2024 00:05 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: httpapi@ietfa.amsl.com
Delivered-To: httpapi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DB6BC1CAF36 for <httpapi@ietfa.amsl.com>; Wed, 4 Sep 2024 17:05:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="T8edlM9c"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="o40FpuSZ"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QQeVR2flRVxb for <httpapi@ietfa.amsl.com>; Wed, 4 Sep 2024 17:05:26 -0700 (PDT)
Received: from fhigh7-smtp.messagingengine.com (fhigh7-smtp.messagingengine.com [103.168.172.158]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6571BC18DB86 for <httpapi@ietf.org>; Wed, 4 Sep 2024 17:05:26 -0700 (PDT)
Received: from phl-compute-05.internal (phl-compute-05.phl.internal [10.202.2.45]) by mailfhigh.phl.internal (Postfix) with ESMTP id 7AF8711401A3; Wed, 4 Sep 2024 20:05:25 -0400 (EDT)
Received: from phl-imap-01 ([10.202.2.91]) by phl-compute-05.internal (MEProxy); Wed, 04 Sep 2024 20:05:25 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:cc:content-transfer-encoding:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:subject:subject:to:to; s=fm2; t=1725494725; x=1725581125; bh=Nx6cij66rQda1pNjLUT6VfOhKY01U3Dj AAoLqQMvk/E=; b=T8edlM9cU9EQIihrzniYhPFU1jyHFXqVySn3BvLtwqSlATP2 AlC3s4P8hkettBg1gOXkXWekYhI/eIv9N58Zqo5FzsLE59iyaselok3Lvy7P/eha cd/Dm/hSjBbnFsr0zC+oSgC4b93UobtfBaOtEshdSx61Nd5qq7wtmbHPbDuLSA8s 3Uo0IUsf4ameYGUD+AjXrtOq5T8loBcluSXRCuCes91EC4I79zoc+e8tdUca8wCI 0dBI7WjpD8S/ZeuaiCO7CG+VNRtDLupeeYCxshsv2TR7AI9jMuxVV4KAVqS/B3JU 5CYIchexmSnbkndQqs0HMZjd1Qorm4Y2bsq5Ew==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1725494725; x= 1725581125; bh=Nx6cij66rQda1pNjLUT6VfOhKY01U3DjAAoLqQMvk/E=; b=o 40FpuSZnVOLhFCxofcOW+FvGchCGyaH6LuVbnTkFBIHRWcQ/LrmUIzQ48Fn79ZLf TtT/mwQ8QO5voXk56v2lE3SE44gwKMMbxwBkFXporozRLObSlkWUd+tWB42zYhuv 4Q9aYm5cGOkft6JAS69FExf2AHUlam1IsubkXwPN5q/WwGBKUacUj5A1tPHB6eSp iCuoI5WjC8oajI2qwG5PkoA/beGGqnIobhDb50tfLoSPo2/rhQfrWQO7PUzu0+2/ a4nrg9NCnO5WEWBXWr1M/CpeFzmWksXVQTjor7a3Rx9uXG483+YIabi+MWLCBogp vzeP3N8gSmNrHz8p+ksUA==
X-ME-Sender: <xms:xfXYZqy9fVOxinPP0rVK2F2RMW3ZLHm6Fx04UrXZwqt_bjE1BxaxKA> <xme:xfXYZmRmeM-n5jIOZAVvG2NzA5-ouMdL8VHzbg_jsVdUCkmJ_nbUb3LZg_lQJ_Xno fgIYLBskFgv6cVjtfY>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeftddrudehkedgfedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh htshculddquddttddmnecujfgurhepofggfffhvfevkfgjfhfutgfgsehtqhertdertdej necuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmtheslhhofigvnhhtrh hophihrdhnvghtqeenucggtffrrghtthgvrhhnpeekffekjeejvdegffetveefteevudef hffhvddvfeekvdevtdetkeeuhefffeefvdenucffohhmrghinhepghhithhhuhgsrdgtoh hmpdhivghtfhdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgr ihhlfhhrohhmpehmtheslhhofigvnhhtrhhophihrdhnvghtpdhnsggprhgtphhtthhope eipdhmohguvgepshhmthhpohhuthdprhgtphhtthhopehrshgrlhiisegrkhgrmhgrihdr tghomhdprhgtphhtthhopehrshgrlhiipeegtdgrkhgrmhgrihdrtghomhesughmrghrtg drihgvthhfrdhorhhgpdhrtghpthhtohepmhgsihhshhhophesvghvvghquhgvfhhouhdr sggvpdhrtghpthhtoheprhhifhgrrghtrdhsrdhivghtfhesghhmrghilhdrtghomhdprh gtphhtthhopehhthhtphgrphhisehivghtfhdrohhrghdprhgtphhtthhopehluhgtrghs sehluhgtrghsphgrrhguuhgvrdgtohhm
X-ME-Proxy: <xmx:xfXYZsXI0ZWUOlswXzvzmaAsFcDgfjHuE_-6UyfGYYZBixultNpTPQ> <xmx:xfXYZgjmMnV3b9uFxoWI6GQBnMf0s1d4fkDgNy9u-i_zUOYkwVqs4w> <xmx:xfXYZsDl-twbkUFUBGEFMi_2qd8g_Fd0Ym4MoxiXCTS1l8BvsFlvFg> <xmx:xfXYZhLvJE9jKmjp1iWyznW07nj6HSeMGHy1zyR3MT1V0DxEX4LRkA> <xmx:xfXYZr74-9SfTimLNvoVREW1tjSJX9xF49MnZE2Q4JkLQUlDhJHu8g3w>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.phl.internal (Postfix, from userid 501) id 089E23360077; Wed, 4 Sep 2024 20:05:25 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
MIME-Version: 1.0
Date: Thu, 05 Sep 2024 10:05:04 +1000
From: Martin Thomson <mt@lowentropy.net>
To: Mike Bishop <mbishop@evequefou.be>, "Salz, Rich" <rsalz@akamai.com>, Lucas Pardue <lucas@lucaspardue.com>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, "httpapi@ietf.org" <httpapi@ietf.org>
Message-Id: <dac0e166-e116-4449-8d03-2092b4b086f2@betaapp.fastmail.com>
In-Reply-To: <PH0PR22MB31023277F94291AE3662A669DA952@PH0PR22MB3102.namprd22.prod.outlook.com>
References: <B325F560-C7F0-441B-B384-13A52E9D8543@akamai.com> <495df81d-4097-4375-a646-069a2716969a@evequefou.be> <3ac83542-d811-433f-826e-9e2ee180a4a9@app.fastmail.com> <C45C22F6-3C91-4C90-BEBD-634AFC64E72A@akamai.com> <PH0PR22MB31023277F94291AE3662A669DA952@PH0PR22MB3102.namprd22.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: XHREBRL364JBZLGRBW4SIBFGP3767E5K
X-Message-ID-Hash: XHREBRL364JBZLGRBW4SIBFGP3767E5K
X-MailFrom: mt@lowentropy.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [httpapi] Re: HTTP->HTTPS redirects bad for API traffic?
List-Id: Building Blocks for HTTP APIs <httpapi.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/httpapi/qEybdBLftI3EBXtnJfVeBiRwI5M>
List-Archive: <https://mailarchive.ietf.org/arch/browse/httpapi>
List-Help: <mailto:httpapi-request@ietf.org?subject=help>
List-Owner: <mailto:httpapi-owner@ietf.org>
List-Post: <mailto:httpapi@ietf.org>
List-Subscribe: <mailto:httpapi-join@ietf.org>
List-Unsubscribe: <mailto:httpapi-leave@ietf.org>
Thanks for doing this Mike. I opened https://github.com/richsalz/draft-rsalz-httpapi-privacy/issues/7 because I think that this business has a much simpler solution. That issue looks at clients, but the problem is uniform. The IETF can make a stronger recommendation here and it should. On Thu, Aug 29, 2024, at 05:07, Mike Bishop wrote: > As promised, a first pass of our draft is posted as > https://www.ietf.org/archive/id/draft-rsalz-httpapi-privacy-00.html. > The GitHub repo is at > https://github.com/richsalz/draft-rsalz-httpapi-privacy. > > Rather than simply “don’t redirect,” the draft has evolved into a set > of recommendations for servers which are expecting credentialed > requests. Not all of them will be feasible for every server, and that’s > okay – it aims to discuss some strategies that can be used to reduce > the risk of credential disclosure. > > I note there was some discussion about which error code to use; that’s > currently not addressed, but might be in scope and is the topic of > https://github.com/richsalz/draft-rsalz-httpapi-privacy/issues/3. > > *From:* Salz, Rich <rsalz@akamai.com> > *Sent:* Tuesday, June 4, 2024 10:32 AM > *To:* Lucas Pardue <lucas@lucaspardue.com>; Mike Bishop > <mbishop@evequefou.be>; Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org>; > httpapi@ietf.org > *Cc:* Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> > *Subject:* Re: [httpapi] Re: HTTP->HTTPS redirects bad for API traffic? > > I think, for the API case, there’s a header field or parameter that has > an API key. That should probably be revoked if a request is sent via > plaintext. Browsers put up a warning if you’re about to send a > password via HTTP. > > Mike and I are going to draft something in this area, let me/us know if > you want to participate (but we will submit to this WG for adoption). > -- > httpapi mailing list -- httpapi@ietf.org > To unsubscribe send an email to httpapi-leave@ietf.org
- [httpapi] HTTP->HTTPS redirects bad for API traff… Salz, Rich
- [httpapi] Re: HTTP->HTTPS redirects bad for API t… Mike Bishop
- [httpapi] Re: HTTP->HTTPS redirects bad for API t… Lucas Pardue
- [httpapi] Re: HTTP->HTTPS redirects bad for API t… Ben Bucksch
- [httpapi] Re: HTTP->HTTPS redirects bad for API t… Salz, Rich
- [httpapi] Re: HTTP->HTTPS redirects bad for API t… Mike Bishop
- [httpapi] Re: HTTP->HTTPS redirects bad for API t… Roberto Polli
- [httpapi] Re: HTTP->HTTPS redirects bad for API t… Martin Thomson
- [httpapi] Re: HTTP->HTTPS redirects bad for API t… Mike Bishop