IETF Logo Mail Archive

Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http]

Amos Jeffries <squid3@treenet.co.nz> Mon, 08 August 2016 19:38 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47EEE12B03F for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 8 Aug 2016 12:38:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.168
X-Spam-Level:
X-Spam-Status: No, score=-8.168 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.247, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N626SEU3zyuq for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 8 Aug 2016 12:38:43 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B2E212B02C for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 8 Aug 2016 12:38:43 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1bWqJx-0005YF-CT for ietf-http-wg-dist@listhub.w3.org; Mon, 08 Aug 2016 19:34:45 +0000
Resent-Date: Mon, 08 Aug 2016 19:34:45 +0000
Resent-Message-Id: <E1bWqJx-0005YF-CT@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <squid3@treenet.co.nz>) id 1bWqJi-0005WH-Qv for ietf-http-wg@listhub.w3.org; Mon, 08 Aug 2016 19:34:30 +0000
Received: from [121.99.228.82] (helo=treenet.co.nz) by maggie.w3.org with esmtp (Exim 4.80) (envelope-from <squid3@treenet.co.nz>) id 1bWqJc-00046j-N2 for ietf-http-wg@w3.org; Mon, 08 Aug 2016 19:34:28 +0000
Received: from [192.168.20.251] (unknown [121.98.40.111]) by treenet.co.nz (Postfix) with ESMTP id 52D7DE6EB0 for <ietf-http-wg@w3.org>; Tue, 9 Aug 2016 00:33:02 +1200 (NZST)
To: ietf-http-wg@w3.org
References: <57A76F02.4020708@mathemainzel.info> <20160807175029.8D8B213E9B@welho-filter4.welho.com>
From: Amos Jeffries <squid3@treenet.co.nz>
Message-ID: <fec82cec-2e4f-e717-01f7-ff6918cc67bd@treenet.co.nz>
Date: Tue, 09 Aug 2016 00:32:57 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <20160807175029.8D8B213E9B@welho-filter4.welho.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Received-SPF: pass client-ip=121.99.228.82; envelope-from=squid3@treenet.co.nz; helo=treenet.co.nz
X-W3C-Hub-Spam-Status: No, score=-4.3
X-W3C-Hub-Spam-Report: AWL=-1.223, BAYES_00=-1.9, RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1bWqJc-00046j-N2 ac0c8ccdcaac63b3db50fffc0ab876e6
X-Original-To: ietf-http-wg@w3.org
Subject: Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http]
Archived-At: <http://www.w3.org/mid/fec82cec-2e4f-e717-01f7-ff6918cc67bd@treenet.co.nz>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/32225
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 8/08/2016 5:50 a.m., Kari hurtta wrote:
> https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0390.html
> 
>> configured proxies are not the bug; why not just simpy use plain HTML?
>>
>> your sample chould then just be this simple:
>>
>> HTTP/1.1 403 Forbidden
>> Content-Type: text/html
>> Cache-Control: no-cache
>>
>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>> <HTML>
> 
> Major browsers do not show this when they get
> that on response of CONNECT -request.
> 
> Bug 637619 - Display better error messages when HTTPS proxy servers return non-200 error codes 
> https://bugzilla.mozilla.org/show_bug.cgi?id=637619
> 

The more relevant and core issue here is #479880 (aka CVE-2009-1835).

Adams quick solution:
 <https://bugzilla.mozilla.org/show_bug.cgi?id=479880#c2>


Henriks solution:
 <https://bugzilla.mozilla.org/show_bug.cgi?id=479880#c75>


So would anyone authoring a browser care to explain why Adams quick-fix
is still being used today by all browsers and Henriks solution is
discarded out of hand on grounds of being "unsafe". For values of
"unsafe" which under close inspection turn out to be straw-man arguments
about this CVE existing when _neither_ soution is used.

If you notice the logic in comment #8 of that bug will also mean that
*any* payload on any type of response will be discarded on CONNECT. That
includes the Draft proposed JSON message body.

Amos

v2.23.0 | Report a Bug | By Email