IETF Logo Mail Archive

Re: HTTP router point-of-view concerns

Martin Thomson <martin.thomson@gmail.com> Thu, 11 July 2013 23:34 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8257F11E81CD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 11 Jul 2013 16:34:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.581
X-Spam-Level:
X-Spam-Status: No, score=-10.581 tagged_above=-999 required=5 tests=[AWL=0.018, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gT2VaYB1oCoV for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 11 Jul 2013 16:34:24 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 347C411E8136 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 11 Jul 2013 16:34:23 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UxQMf-00013Z-CS for ietf-http-wg-dist@listhub.w3.org; Thu, 11 Jul 2013 23:33:33 +0000
Resent-Date: Thu, 11 Jul 2013 23:33:33 +0000
Resent-Message-Id: <E1UxQMf-00013Z-CS@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <martin.thomson@gmail.com>) id 1UxQMW-00012k-Ky for ietf-http-wg@listhub.w3.org; Thu, 11 Jul 2013 23:33:24 +0000
Received: from mail-wi0-f173.google.com ([209.85.212.173]) by lisa.w3.org with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.72) (envelope-from <martin.thomson@gmail.com>) id 1UxQMW-0002Dx-2n for ietf-http-wg@w3.org; Thu, 11 Jul 2013 23:33:24 +0000
Received: by mail-wi0-f173.google.com with SMTP id hq4so76507wib.0 for <ietf-http-wg@w3.org>; Thu, 11 Jul 2013 16:32:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=myAQU2fCdt4c8LolCS8YnrD5FpzsyAQaEvMcT2vW+VM=; b=bvi22dTHdkPd3+/Del/hKbCQN+uZsy+Sv1ocyNZJeU69Y781/CswF9XxbP48hAU2UH 2Z5kAujPcM3V6cAKXNDzpz0NA5PA4LD9WKcCzVb6znuE+rBqvOBX0hgLEcOuq6iuQ8LA eABDZPJ5DIxaJsLBBNgVce6RCtB+cL8J1Ken5cmKtuN1/NDowyWvow2217INroGekqUu YST6M71u9Y4h/bX35yrYA8oYuSiJvovWdqKkMjnbQg+4NQaDIbst0JE8p4YVmg5YYMLD ze67NAqGo0DXgBgasEKWsD31cWcjtFf7OmHp2My9I/H9i9qNc+WDSQ5A+5gXJFUYmpbc JD+g==
MIME-Version: 1.0
X-Received: by 10.194.78.110 with SMTP id a14mr22587625wjx.84.1373585577812; Thu, 11 Jul 2013 16:32:57 -0700 (PDT)
Received: by 10.194.60.46 with HTTP; Thu, 11 Jul 2013 16:32:57 -0700 (PDT)
In-Reply-To: <CAP+FsNcwaAUbsL4fhmm9bRxYT74BSgH_XmZKdhcW+ge_kW3PMg@mail.gmail.com>
References: <CA+qvzFPUpcm6kUtJx+rTw8Dpp4Gtx4Bmr3XPDhjNsjchUfN9_w@mail.gmail.com> <51DE1E32.9010801@treenet.co.nz> <CAP+FsNdcYhA=V5Z+zbt70b5e7WmcmXgjG5M9L3vfXeXfTwmRnw@mail.gmail.com> <51DE327C.7010901@treenet.co.nz> <CABkgnnXeqD6wh0dcJ1Dz=4PLAJNkDeGcCuzMr9ATd_7xS7nbGQ@mail.gmail.com> <CABP7RbcUkLf3CTAB4jwicnsiKWLGVY6=hX0k=0256SR_gcVt9A@mail.gmail.com> <092D65A8-8CB7-419D-B6A4-77CAE40A0026@gmail.com> <CAP+FsNfpHY-Eai7T+vW01LRPweKmSfVhWO-Tj0ii4wWzX6fwUg@mail.gmail.com> <9AF548E8-D4CD-426B-9F6F-F390476821AA@gmail.com> <CAP+FsNev6zz2VHyj7KTBwHLMagP=n6EOiM_5UFvm13y25Bmx_Q@mail.gmail.com> <21347651-656B-4BA0-9261-830D09DAC883@gmail.com> <CAP+FsNcwaAUbsL4fhmm9bRxYT74BSgH_XmZKdhcW+ge_kW3PMg@mail.gmail.com>
Date: Thu, 11 Jul 2013 16:32:57 -0700
Message-ID: <CABkgnnUbNYUWyf22vEqqo9hxLDuRnPHA=m0c_NWrdy_xJXoY7A@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Roberto Peon <grmocg@gmail.com>
Cc: Sam Pullara <spullara@gmail.com>, James M Snell <jasnell@gmail.com>, Amos Jeffries <squid3@treenet.co.nz>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: text/plain; charset="UTF-8"
Received-SPF: pass client-ip=209.85.212.173; envelope-from=martin.thomson@gmail.com; helo=mail-wi0-f173.google.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=-2.680, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001
X-W3C-Scan-Sig: lisa.w3.org 1UxQMW-0002Dx-2n d94af2b412744e5b2d7dec5b3868c817
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP router point-of-view concerns
Archived-At: <http://www.w3.org/mid/CABkgnnUbNYUWyf22vEqqo9hxLDuRnPHA=m0c_NWrdy_xJXoY7A@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/18714
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 11 July 2013 15:56, Roberto Peon <grmocg@gmail.com> wrote:
> Thusfar, the feedback we're received from security experts indicates that it
> is comparable to an attack without the compression (i.e. requires
> exponential time w.r.t. the size of the plaintext, or comparable to forcing
> the use of a brute-force attack).

There are, of course, limitations on this.  If a particular header is
small, it becomes easier to guess.  If you were to say, spread a
bearer token into small pieces across multiple headers, then you would
open yourself up to a CRIME-like attack.

That said, the value that an attacker can gain is fairly marginal, and
there are ways to mitigate this.

The security considerations will, ultimately, expand on these sorts of
caveats as our knowledge improves.

v2.23.0 | Report a Bug | By Email