Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http]
Amos Jeffries <squid3@treenet.co.nz> Mon, 08 August 2016 19:38 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47EEE12B03F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 8 Aug 2016 12:38:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.168
X-Spam-Level:
X-Spam-Status: No, score=-8.168 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.247, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N626SEU3zyuq for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 8 Aug 2016 12:38:43 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B2E212B02C for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 8 Aug 2016 12:38:43 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bWqJx-0005YF-CT for ietf-http-wg-dist@listhub.w3.org; Mon, 08 Aug 2016 19:34:45 +0000
Resent-Date: Mon, 08 Aug 2016 19:34:45 +0000
Resent-Message-Id: <E1bWqJx-0005YF-CT@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <squid3@treenet.co.nz>) id 1bWqJi-0005WH-Qv for ietf-http-wg@listhub.w3.org; Mon, 08 Aug 2016 19:34:30 +0000
Received: from [121.99.228.82] (helo=treenet.co.nz) by maggie.w3.org with esmtp (Exim 4.80) (envelope-from <squid3@treenet.co.nz>) id 1bWqJc-00046j-N2 for ietf-http-wg@w3.org; Mon, 08 Aug 2016 19:34:28 +0000
Received: from [192.168.20.251] (unknown [121.98.40.111]) by treenet.co.nz (Postfix) with ESMTP id 52D7DE6EB0 for <ietf-http-wg@w3.org>; Tue, 9 Aug 2016 00:33:02 +1200 (NZST)
To: ietf-http-wg@w3.org
References: <57A76F02.4020708@mathemainzel.info> <20160807175029.8D8B213E9B@welho-filter4.welho.com>
From: Amos Jeffries <squid3@treenet.co.nz>
Message-ID: <fec82cec-2e4f-e717-01f7-ff6918cc67bd@treenet.co.nz>
Date: Tue, 09 Aug 2016 00:32:57 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <20160807175029.8D8B213E9B@welho-filter4.welho.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=121.99.228.82; envelope-from=squid3@treenet.co.nz; helo=treenet.co.nz
X-W3C-Hub-Spam-Status: No, score=-4.3
X-W3C-Hub-Spam-Report: AWL=-1.223, BAYES_00=-1.9, RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1bWqJc-00046j-N2 ac0c8ccdcaac63b3db50fffc0ab876e6
X-Original-To: ietf-http-wg@w3.org
Subject: Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http]
Archived-At: <http://www.w3.org/mid/fec82cec-2e4f-e717-01f7-ff6918cc67bd@treenet.co.nz>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32225
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On 8/08/2016 5:50 a.m., Kari hurtta wrote: > https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0390.html > >> configured proxies are not the bug; why not just simpy use plain HTML? >> >> your sample chould then just be this simple: >> >> HTTP/1.1 403 Forbidden >> Content-Type: text/html >> Cache-Control: no-cache >> >> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> >> <HTML> > > Major browsers do not show this when they get > that on response of CONNECT -request. > > Bug 637619 - Display better error messages when HTTPS proxy servers return non-200 error codes > https://bugzilla.mozilla.org/show_bug.cgi?id=637619 > The more relevant and core issue here is #479880 (aka CVE-2009-1835). Adams quick solution: <https://bugzilla.mozilla.org/show_bug.cgi?id=479880#c2> Henriks solution: <https://bugzilla.mozilla.org/show_bug.cgi?id=479880#c75> So would anyone authoring a browser care to explain why Adams quick-fix is still being used today by all browsers and Henriks solution is discarded out of hand on grounds of being "unsafe". For values of "unsafe" which under close inspection turn out to be straw-man arguments about this CVE existing when _neither_ soution is used. If you notice the logic in comment #8 of that bug will also mean that *any* payload on any type of response will be discarded on CONNECT. That includes the Draft proposed JSON message body. Amos
- Re: Call for Adoption: draft-song-dns-wireformat-… Mark Nottingham
- Re: Call for Adoption: draft-song-dns-wireformat-… Tim Wicinski
- Re: Call for Adoption: draft-song-dns-wireformat-… Tim Wicinski
- Re: MITM and proxy messages [was: Call for Adopti… Patrick McManus
- Re: MITM and proxy messages [was: Call for Adopti… Adrien de Croy
- Re: MITM and proxy messages [was: Call for Adopti… Martin Thomson
- RE: Fwd: Call for Adoption: draft-song-dns-wirefo… Mike Bishop
- Re: MITM and proxy messages [was: Call for Adopti… Amos Jeffries
- Re: MITM and proxy messages [was: Call for Adopti… Walter H.
- Re: MITM and proxy messages [was: Call for Adopti… Amos Jeffries
- Re: MITM and proxy messages [was: Call for Adopti… Poul-Henning Kamp
- Re: MITM and proxy messages [was: Call for Adopti… nicolas.mailhot
- Re: MITM and proxy messages [was: Call for Adopti… nicolas.mailhot
- Re: MITM and proxy messages [was: Call for Adopti… Martin Thomson
- Re: MITM and proxy messages [was: Call for Adopti… Adrien de Croy
- Re: MITM and proxy messages [was: Call for Adopti… Martin Thomson
- Re: MITM and proxy messages [was: Call for Adopti… Martin Thomson
- Re: MITM and proxy messages [was: Call for Adopti… Adrien de Croy
- Re: MITM and proxy messages [was: Call for Adopti… Kari hurtta
- Re: MITM and proxy messages [was: Call for Adopti… Walter H.
- Re: MITM and proxy messages [was: Call for Adopti… Kari hurtta
- Re: MITM and proxy messages [was: Call for Adopti… Walter H.
- Re: MITM and proxy messages [was: Call for Adopti… Walter H.
- Re: MITM and proxy messages [was: Call for Adopti… Ilari Liusvaara
- Re: MITM and proxy messages [was: Call for Adopti… Kari hurtta
- Re: MITM and proxy messages [was: Call for Adopti… Amos Jeffries
- Re: MITM and proxy messages [was: Call for Adopti… Walter H.
- Re: MITM and proxy messages [was: Call for Adopti… nicolas.mailhot
- Re: MITM and proxy messages [was: Call for Adopti… Adrien de Croy
- MITM and proxy messages [was: Call for Adoption: … Mark Nottingham
- Re: Fwd: Call for Adoption: draft-song-dns-wirefo… Nicolas Mailhot
- Re: Fwd: Call for Adoption: draft-song-dns-wirefo… Adrien de Croy
- Re: Call for Adoption: draft-song-dns-wireformat-… Patrick McManus
- Re: Fwd: Call for Adoption: draft-song-dns-wirefo… Poul-Henning Kamp
- Re: Fwd: Call for Adoption: draft-song-dns-wirefo… Patrick McManus
- Re: Fwd: Call for Adoption: draft-song-dns-wirefo… Poul-Henning Kamp
- Re: Call for Adoption: draft-song-dns-wireformat-… Mark Nottingham
- Re: Call for Adoption: draft-song-dns-wireformat-… Martin Thomson
- Re: Call for Adoption: draft-song-dns-wireformat-… tjw ietf
- Re: Call for Adoption: draft-song-dns-wireformat-… Martin Thomson
- Fwd: Call for Adoption: draft-song-dns-wireformat… tjw ietf