Re: Design Issue: Overlong Frames

Martin Thomson <martin.thomson@gmail.com> Fri, 10 May 2013 22:24 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C080921F93D4 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 10 May 2013 15:24:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.071
X-Spam-Level:
X-Spam-Status: No, score=-10.071 tagged_above=-999 required=5 tests=[AWL=0.528, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q8S+BTWUvVaC for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 10 May 2013 15:24:19 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 7049C21F9012 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 10 May 2013 15:24:18 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UavhM-0005oR-On for ietf-http-wg-dist@listhub.w3.org; Fri, 10 May 2013 22:21:56 +0000
Resent-Date: Fri, 10 May 2013 22:21:56 +0000
Resent-Message-Id: <E1UavhM-0005oR-On@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <martin.thomson@gmail.com>) id 1Uavh8-0005ng-5j for ietf-http-wg@listhub.w3.org; Fri, 10 May 2013 22:21:42 +0000
Received: from mail-we0-f175.google.com ([74.125.82.175]) by maggie.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <martin.thomson@gmail.com>) id 1Uavh7-00023D-J8 for ietf-http-wg@w3.org; Fri, 10 May 2013 22:21:42 +0000
Received: by mail-we0-f175.google.com with SMTP id p57so4420843wes.6 for <ietf-http-wg@w3.org>; Fri, 10 May 2013 15:21:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=beuNyNyUhhHsLDLnHl3eskREq4by/xoyx/GuEN9E8Pg=; b=F60DhqiDaU2HTC/wrwVanQrmDuay5ZPEf3WbNQs+8N4VziIro5wfRFiKiyPVh7AE/r AdtcA8WQmqHOyalXPv4p9taNtcho6qrRJVxUmnM9qx+xC0mPKWPElh/xo3Bv9wnvPEeK 2MTWH+4O+JIiOtGPkBX7O2kM+988CLFPXQJBm2pLrepaVfmTLagg5JSgEkWsnpMW/dnY l5zikQ9qRv8/jnwyn21s/2rmIYly5bF+f6zUPCZ91Uy2Evhd8upsbk7S2vXXl1N+IrZ1 pFQAALExhGUu1n+22Hwy4J2WnjTVElyWzaUp3EJOrs8o4BOFVp/T1MkZ/CfK4bBK2Oe2 IqIQ==
MIME-Version: 1.0
X-Received: by 10.194.63.239 with SMTP id j15mr27388003wjs.30.1368224475514; Fri, 10 May 2013 15:21:15 -0700 (PDT)
Received: by 10.194.33.102 with HTTP; Fri, 10 May 2013 15:21:15 -0700 (PDT)
In-Reply-To: <CABP7RbcjQP3Drd7PneBRurSk+offePyNuu=c4CRODDwQw5Czwg@mail.gmail.com>
References: <CABP7RbewOju850tE2GV2U4JZVawGTFGoWoYF7LaofGdKcXYqZg@mail.gmail.com> <CABkgnnXZY7aSRmVb-GsfDVpq3+cNXRh_MeUipWGVHUwQreUV6g@mail.gmail.com> <CABP7RbcjQP3Drd7PneBRurSk+offePyNuu=c4CRODDwQw5Czwg@mail.gmail.com>
Date: Fri, 10 May 2013 15:21:15 -0700
Message-ID: <CABkgnnUa1q=YCmvQV0yOUDPh-MEY=XQ-+wVTJW8mSS0zUe-i6A@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: James M Snell <jasnell@gmail.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: text/plain; charset=UTF-8
Received-SPF: pass client-ip=74.125.82.175; envelope-from=martin.thomson@gmail.com; helo=mail-we0-f175.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.665, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1Uavh7-00023D-J8 73f341e775623140e1541f15c994b2f7
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Design Issue: Overlong Frames
Archived-At: <http://www.w3.org/mid/CABkgnnUa1q=YCmvQV0yOUDPh-MEY=XQ-+wVTJW8mSS0zUe-i6A@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17941
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 10 May 2013 14:36, James M Snell <jasnell@gmail.com> wrote:
> FWIW, one possible attack vector this would help mitigate is "frame smuggling"..
>
> For example, suppose an attacker is sending a request through a proxy
> that is designed to filter out certain kinds of bad requests. The
> attacker determines that while the proxy properly examines both the
> size and type of a frame, it ignores extraneous bytes in known frame
> types and simply passes those thru.

There is your problem right there.  A proxy that wants to prevent this
sort of covert activity needs to look for unknown frame types, unknown
headers, unknown message bodies AND unknown frame parameters.

It should also look for all of the other covert channels in HTTP, of
which there are a wondrously large number available.  It would be a
sorry smuggler who had to resort to message timing for their covert
channel in this protocol.