Re: Design Issue: Overlong Frames

Martin Thomson <martin.thomson@gmail.com> Fri, 10 May 2013 17:37 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D115721F8FDC for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 10 May 2013 10:37:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.679
X-Spam-Level:
X-Spam-Status: No, score=-9.679 tagged_above=-999 required=5 tests=[AWL=0.920, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vCYW8ClSfb3e for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 10 May 2013 10:37:40 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 95AE121F8FE3 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 10 May 2013 10:37:40 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UarFw-0001AF-1c for ietf-http-wg-dist@listhub.w3.org; Fri, 10 May 2013 17:37:20 +0000
Resent-Date: Fri, 10 May 2013 17:37:20 +0000
Resent-Message-Id: <E1UarFw-0001AF-1c@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <martin.thomson@gmail.com>) id 1UarFk-00015z-Lc for ietf-http-wg@listhub.w3.org; Fri, 10 May 2013 17:37:08 +0000
Received: from mail-we0-f178.google.com ([74.125.82.178]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <martin.thomson@gmail.com>) id 1UarFj-0001yc-QS for ietf-http-wg@w3.org; Fri, 10 May 2013 17:37:08 +0000
Received: by mail-we0-f178.google.com with SMTP id q57so4206504wes.37 for <ietf-http-wg@w3.org>; Fri, 10 May 2013 10:36:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=IKJcNZTXAG66WYza39g5N0BdRwS+J5DHhgPMdsfDDiQ=; b=NZvO+5Sn8G3qwuJnL5d9lk7SLJIr0bIrtOXQm41gsDPH3xq03B9MufmMc1i2EcVkCN R5z8UAy6RSqfywmwzDsUbWBqFyUJUey9qwHT9fLM7y3I2pbszNgdcI+uFRwZ1NhhkxD2 9nCbNu3dB7JyFJq9oz5Ylf2z2S15i+MsjfNjLnDxhWqlEo3MTWJGKG8WZPZ+zHg7593h UkvHKPyMNCogy6kyuZg3AgWFIyjpe9k2Y/rdbFUWTrbswcF6XJXoeMmFjqUlIn6+KOwd w0CoRlrXT09m8kNyf7PAlLpMgGL3+gL9OA3RIwiCuUHwP8HObeGQqAUmoPJzPYd+i8CX 5cMg==
MIME-Version: 1.0
X-Received: by 10.194.63.239 with SMTP id j15mr26223617wjs.30.1368207401693; Fri, 10 May 2013 10:36:41 -0700 (PDT)
Received: by 10.194.33.102 with HTTP; Fri, 10 May 2013 10:36:41 -0700 (PDT)
In-Reply-To: <CABP7RbewOju850tE2GV2U4JZVawGTFGoWoYF7LaofGdKcXYqZg@mail.gmail.com>
References: <CABP7RbewOju850tE2GV2U4JZVawGTFGoWoYF7LaofGdKcXYqZg@mail.gmail.com>
Date: Fri, 10 May 2013 10:36:41 -0700
Message-ID: <CABkgnnXZY7aSRmVb-GsfDVpq3+cNXRh_MeUipWGVHUwQreUV6g@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: James M Snell <jasnell@gmail.com>
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Type: text/plain; charset=UTF-8
Received-SPF: pass client-ip=74.125.82.178; envelope-from=martin.thomson@gmail.com; helo=mail-we0-f178.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.687, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UarFj-0001yc-QS 25ff91a8d0507f5b0a81ccdbbb66ef57
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Design Issue: Overlong Frames
Archived-At: <http://www.w3.org/mid/CABkgnnXZY7aSRmVb-GsfDVpq3+cNXRh_MeUipWGVHUwQreUV6g@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17918
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 9 May 2013 10:26, James M Snell <jasnell@gmail.com> wrote:
> Recommendation: Adding a short statement that a PROTOCOL_ERROR MUST be
> returned if a frame contains more bytes than what is expressly
> specified in the frame definition.

That would prevent extension unnecessarily.  And it doesn't do
anything to improve security.

When you want to harden security, you need to consider what equivalent
options are available to an attacker.  If I wanted to send you more
data, then I will use DATA frames.  Unless you can find a way to
curtail DATA I see no reason to clamp down here.