Re: p1: additional security considerations

Willy Tarreau <w@1wt.eu> Tue, 23 April 2013 06:58 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FF7821F8AD8 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 22 Apr 2013 23:58:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.153
X-Spam-Level:
X-Spam-Status: No, score=-10.153 tagged_above=-999 required=5 tests=[AWL=0.446, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WJI-pjBm6edo for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 22 Apr 2013 23:58:52 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id A557121F9669 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 22 Apr 2013 23:58:52 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UUXBN-0002St-4i for ietf-http-wg-dist@listhub.w3.org; Tue, 23 Apr 2013 06:58:29 +0000
Resent-Date: Tue, 23 Apr 2013 06:58:29 +0000
Resent-Message-Id: <E1UUXBN-0002St-4i@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1UUXBJ-0002S8-E3 for ietf-http-wg@listhub.w3.org; Tue, 23 Apr 2013 06:58:25 +0000
Received: from 1wt.eu ([62.212.114.60]) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <w@1wt.eu>) id 1UUXB4-0007Vk-1Q for ietf-http-wg@w3.org; Tue, 23 Apr 2013 06:58:19 +0000
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id r3N6tQOa010829; Tue, 23 Apr 2013 08:55:26 +0200
Date: Tue, 23 Apr 2013 08:55:25 +0200
From: Willy Tarreau <w@1wt.eu>
To: Mark Nottingham <mnot@mnot.net>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <20130423065525.GF8496@1wt.eu>
References: <43ED2599-CE89-4C0C-8EEF-E3A6200E8662@mnot.net> <20130423061506.GB8496@1wt.eu> <071385B9-5E81-4E71-82B7-20E0DA7C1A24@mnot.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <071385B9-5E81-4E71-82B7-20E0DA7C1A24@mnot.net>
User-Agent: Mutt/1.4.2.3i
Received-SPF: pass client-ip=62.212.114.60; envelope-from=w@1wt.eu; helo=1wt.eu
X-W3C-Hub-Spam-Status: No, score=-3.0
X-W3C-Hub-Spam-Report: AWL=-3.034, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1UUXB4-0007Vk-1Q 66bf4b8ec49a4b4774d11611dd01dbab
X-Original-To: ietf-http-wg@w3.org
Subject: Re: p1: additional security considerations
Archived-At: <http://www.w3.org/mid/20130423065525.GF8496@1wt.eu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17487
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Tue, Apr 23, 2013 at 04:17:22PM +1000, Mark Nottingham wrote:
> 
> On 23/04/2013, at 4:15 PM, Willy Tarreau <w@1wt.eu> wrote:
> 
> > On Tue, Apr 23, 2013 at 04:02:22PM +1000, Mark Nottingham wrote:
> >> Just wondering if we need to explicitly point out the security considerations
> >> around the following:
> >> 
> >> * Message routing -- it's somewhat common AIUI for intermediaries to only
> >> route on the Host header, for performance reasons; i.e., they do not
> >> reconstruct the effective request URI (as required by p1 5.5). I know there's
> >> a theoretical risk here, but is there a real-world risk that we should point
> >> out?
> > 
> > I see no particular risk since the Host header field is mandatory. Also in
> > practice, intermediaries which "route" requests tend to be very close to
> > the servers, at places where the security considerations are very specific
> > to the environment and explicitly covered in this intermediary's configuration.
> 
> That's what I was wondering. What concerned me was that people deploy load
> balancers in front of proxies, and virus scanners, etc. I don't have a
> specific attack in mind, it just feels like there probably is one.

At least in my experience, when deploying a load balancer in front of a proxy
farm or anti-virus farm, parts of the URI are used more than the Host header
field. For example, you can have an LB which decides that requests for file
ending in ".mpg" do not pass through the virus scanner and go directly to the
proxy, but in return the content-type must absolutely match "video/mpeg"
otherwise they're blocked (it's just an example).

That's why I think that the security considerations are much more of a global
thing in such deployments than just a matter of correctly relying on the Host
header field.

Willy