Re: HTTP/1.1 Request Smuggling Defense using Cryptographic Message Binding (new draft)
Willy Tarreau <w@1wt.eu> Wed, 22 October 2025 18:22 UTC
Received: by mail2.ietf.org (Postfix) id 8F9897A7ACD8; Wed, 22 Oct 2025 11:22:03 -0700 (PDT)
Delivered-To: ietfarch-httpbisa-archive-bis2juki@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 8DF997A7ACD7 for <ietfarch-httpbisa-archive-bis2Juki@mail2.ietf.org>; Wed, 22 Oct 2025 11:22:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -5.384
X-Spam-Level:
X-Spam-Status: No, score=-5.384 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.017, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=w3.org header.b="HZSLoAAL"; dkim=pass (2048-bit key) header.d=w3.org header.b="oogN+WrP"; dkim=pass (1024-bit key) header.d=1wt.eu header.b="ZrmP7yv+"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LK5zjthVCL_K for <ietfarch-httpbisa-archive-bis2Juki@mail2.ietf.org>; Wed, 22 Oct 2025 11:22:02 -0700 (PDT)
Received: from mab.w3.org (mab.w3.org [IPv6:2600:1f18:7d7a:2700:d091:4b25:8566:8113]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id CCD317A7ACD2 for <httpbisa-archive-bis2Juki@ietf.org>; Wed, 22 Oct 2025 11:22:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=Subject:In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Cc:To:From:Date:Reply-To; bh=jzReThfcbx//jhP8rOJdPEOH201JMsZFf0N48f4ZqyA=; b= HZSLoAALwbAqHGXj0iFVjV6bOLmbzGufq5KtEf1BFSeSmbkK1obJgJrj3RZb5VLrdjXll5rKamoFZ 5SAOMhqeEYQTnIITM4jQ9G5NytnAvdNUy4XkTnvx+tx8u5wzF5RmqgIQtRj+F2qTzIqdT5O7Hcse8 wB/UWHU8rR7Av3KSHpvHd/8vYMbC6UGVHY9DNyxmN+KcBr+n6SVJ6LFZum9M8WDdM23jte9H0PY3v lAbgJ8WnEdLP7GBkF8aj6gsx4pCFmX6pMtRCXKqk/fD8R+EOkR0JZo8E1muX7dYXJyKgVz7KmTAcD Y1UB4LKU/SM0M9aONsKNNhzYEPEbbd/AwQ==;
Received: from lists by mab.w3.org with local (Exim 4.96) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1vBdSr-007juA-14 for ietf-http-wg-dist@listhub.w3.org; Wed, 22 Oct 2025 18:21:37 +0000
Resent-Date: Wed, 22 Oct 2025 18:21:37 +0000
Resent-Message-Id: <E1vBdSr-007juA-14@mab.w3.org>
Received: from ip-10-0-0-144.ec2.internal ([10.0.0.144] helo=pan.w3.org) by mab.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <w@1wt.eu>) id 1vBdSo-007jt1-0L for ietf-http-wg@listhub.w3.internal; Wed, 22 Oct 2025 18:21:34 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=w3.org; s=s1; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject: Cc:To:From:Date:Reply-To; bh=jzReThfcbx//jhP8rOJdPEOH201JMsZFf0N48f4ZqyA=; t=1761157294; x=1762021294; b=oogN+WrP+QRGCypANDU2ejgiCTARXkID4D7yuaRjx3aKPi8 dwtSjckTMtLy4bKWjbNbzsgHFpMfG+8sRJSj04Fj3LLz1VrZqEidzI7+8Re1QZwRc55IlTAyuTCir /tj3V9LID75eun9p43E3nwYhz/YqQBCA0XczQ/02b2JGVZOdrQYuImpHZg5f0wtCwUSIavPkzjO7q OTFqOBCcQmhSFMKtrSZz2GiPXMa0qmxLLKdxk9DLRn0DlmBadznPK044ETx7WAqKUg1Gvv+QqsI07 GuM03frIHBYxMle/6e7/+7fhN9tx9WRAf1KOZy1aXXMZ2s8xmxjTce5JyF79S3aw==;
Received-SPF: pass (pan.w3.org: domain of 1wt.eu designates 51.159.59.229 as permitted sender) client-ip=51.159.59.229; envelope-from=w@1wt.eu; helo=mta1.formilux.org;
Received: from mta1.formilux.org ([51.159.59.229]) by pan.w3.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <w@1wt.eu>) id 1vBdSn-008o1L-0f for ietf-http-wg@w3.org; Wed, 22 Oct 2025 18:21:34 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1wt.eu; s=mail; t=1761157288; bh=jzReThfcbx//jhP8rOJdPEOH201JMsZFf0N48f4ZqyA=; h=From:Message-ID:From; b=ZrmP7yv+NwMnlZW/1mzF5FP1wOCV6dgruPYk8V06mczdUE0avd8Sf1tTk2oNWS/gm eqethy0Mc1wI947O1GHCuhAb8kHzjps55KON4ktG2jTZkioB5YZAnCngpNKrjurk3u EI7HZ1x/wKjKXkEV8BcxyZR+XoSbdH1kJC77/zrk=
Received: from 1wt.eu (ded1.1wt.eu [163.172.96.212]) by mta1.formilux.org (Postfix) with ESMTP id 6B6BFC06DD; Wed, 22 Oct 2025 20:21:28 +0200 (CEST)
Received: (from willy@localhost) by pcw.home.local (8.15.2/8.15.2/Submit) id 59MILSkQ030471; Wed, 22 Oct 2025 20:21:28 +0200
Date: Wed, 22 Oct 2025 20:21:28 +0200
From: Willy Tarreau <w@1wt.eu>
To: Erik Nygren <nygren@gmail.com>
Cc: Ben Schwartz <bemasc@meta.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <20251022182128.GA30436@1wt.eu>
References: <CAKC-DJiFM2i89siYYcpQzszw5etriYd8NiO8cKdP3=jsBkRJAw@mail.gmail.com> <DS0PR15MB56742947E7B75C18853C2A31B3F3A@DS0PR15MB5674.namprd15.prod.outlook.com> <CAKC-DJixYfzBpydL5gwGPkCgOyXPJrgSg_fBXurD9Zx5xbkQuw@mail.gmail.com> <DS0PR15MB56748181FB4966FA4C3F31ADB3F3A@DS0PR15MB5674.namprd15.prod.outlook.com> <CAKC-DJguVFCkzTs3dbya_Bc-DCM-pej=bkQ9NZ6VetUWXK+E+Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAKC-DJguVFCkzTs3dbya_Bc-DCM-pej=bkQ9NZ6VetUWXK+E+Q@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-W3C-Hub-DKIM-Status: validation passed: (address=w@1wt.eu domain=1wt.eu), signature is good
X-W3C-Hub-Spam-Status: No, score=-5.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, DMARC_PASS=-0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: pan.w3.org 1vBdSn-008o1L-0f 34515f30e1ad3b3600f17afeb6193176
X-Original-To: ietf-http-wg@w3.org
Subject: Re: HTTP/1.1 Request Smuggling Defense using Cryptographic Message Binding (new draft)
Archived-At: <https://www.w3.org/mid/20251022182128.GA30436@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/53468
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/email/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
On Wed, Oct 22, 2025 at 02:06:06PM -0400, Erik Nygren wrote: > Unassociated random numbers alone won't help enough with request > desynchronization. An attacker wanting to do something could just add > their own within a body to create a new request and get things > desynchronized. > > It might be worth thinking about if we can ditch negotiation though and > just use Begin-Headers on the first request on a persistent connection > to initialize things, where the number there is then incremented each time > by cranking a PRNG seeded off the first value in request? Please keep in mind that you're trying to close an ultra-rare tiny gap that temporarily affects some implementations. We don't need the level of security that one would need to secure data circulating in clear over a hostile channel, here we're speaking about stacks that have been proven for a long time and that are trying to slightly improve their safety by saying "if someone would manage to find a new smuggling attack we'd be more robust". But the purpose of that code is to never ever trigger the failure path. So it is important that this remains really inexpensive to have any chance to convince anyone to actually implement it. Also, with the begin-headers/end-headers, we cannot cover the request line, and smuggling definitely happens there (e.g. by inserting spaces in the method over H2/H3). IMHO we could reasonably imagine to hash the request line and mix it with a secret and a request counter over the connection, that is repeated both in begin-headers and end-headers. This would validate that the request line is intact and that the headers remain associated to that request. I'd even say that if we do this we don't need the begin-headers anymore, the end is sufficient since the request line is validated. And really, let's make sure the hash is ultra-cheap. We don't need something cryptographically secure here, so much more energy is spent trying to even find a vulnerable implementation that a very fast non-cryptographically secure hash will divide the probabilty enough that it will be sufficient to deter any attempt. Willy
- HTTP/1.1 Request Smuggling Defense using Cryptogr… Erik Nygren
- Re: HTTP/1.1 Request Smuggling Defense using Cryp… Demi Marie Obenour
- Re: HTTP/1.1 Request Smuggling Defense using Cryp… Willy Tarreau
- Re: HTTP/1.1 Request Smuggling Defense using Cryp… Erik Nygren
- Re: HTTP/1.1 Request Smuggling Defense using Cryp… Ben Schwartz
- Re: HTTP/1.1 Request Smuggling Defense using Cryp… Erik Nygren
- Re: HTTP/1.1 Request Smuggling Defense using Cryp… Ben Schwartz
- Re: HTTP/1.1 Request Smuggling Defense using Cryp… Erik Nygren
- Re: HTTP/1.1 Request Smuggling Defense using Cryp… Watson Ladd
- Re: HTTP/1.1 Request Smuggling Defense using Cryp… Erik Nygren
- Re: HTTP/1.1 Request Smuggling Defense using Cryp… Ben Schwartz
- Re: HTTP/1.1 Request Smuggling Defense using Cryp… Erik Nygren
- Countering HTTP/1.1 smuggling by only sending can… Demi Marie Obenour
- Re: HTTP/1.1 Request Smuggling Defense using Cryp… Kazuho Oku
- Re: HTTP/1.1 Request Smuggling Defense using Cryp… Demi Marie Obenour
- Re: HTTP/1.1 Request Smuggling Defense using Cryp… Ben Schwartz
- Re: HTTP/1.1 Request Smuggling Defense using Cryp… Ilari Liusvaara
- Re: HTTP/1.1 Request Smuggling Defense using Cryp… Willy Tarreau
- Re: HTTP/1.1 Request Smuggling Defense using Cryp… Michael Sweet
- Re: HTTP/1.1 Request Smuggling Defense using Cryp… Michael Sweet
- Re: HTTP/1.1 Request Smuggling Defense using Cryp… Demi Marie Obenour