Re: p1: additional security considerations

Mark Nottingham <mnot@mnot.net> Tue, 23 April 2013 06:18 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25C8921F966B for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 22 Apr 2013 23:18:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.505
X-Spam-Level:
X-Spam-Status: No, score=-10.505 tagged_above=-999 required=5 tests=[AWL=0.094, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gi0C9nenlKGY for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 22 Apr 2013 23:18:04 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id 83EB421F965F for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 22 Apr 2013 23:18:04 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.72) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1UUWY3-0000v9-UD for ietf-http-wg-dist@listhub.w3.org; Tue, 23 Apr 2013 06:17:51 +0000
Resent-Date: Tue, 23 Apr 2013 06:17:51 +0000
Resent-Message-Id: <E1UUWY3-0000v9-UD@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1UUWY0-0000uF-Bw for ietf-http-wg@listhub.w3.org; Tue, 23 Apr 2013 06:17:48 +0000
Received: from mxout-08.mxes.net ([216.86.168.183]) by maggie.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1UUWXz-0005zD-Ct for ietf-http-wg@w3.org; Tue, 23 Apr 2013 06:17:48 +0000
Received: from [192.168.1.80] (unknown [118.209.190.66]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id B0A8C509B5; Tue, 23 Apr 2013 02:17:25 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <20130423061506.GB8496@1wt.eu>
Date: Tue, 23 Apr 2013 16:17:22 +1000
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <071385B9-5E81-4E71-82B7-20E0DA7C1A24@mnot.net>
References: <43ED2599-CE89-4C0C-8EEF-E3A6200E8662@mnot.net> <20130423061506.GB8496@1wt.eu>
To: Willy Tarreau <w@1wt.eu>
X-Mailer: Apple Mail (2.1503)
Received-SPF: pass client-ip=216.86.168.183; envelope-from=mnot@mnot.net; helo=mxout-08.mxes.net
X-W3C-Hub-Spam-Status: No, score=-3.3
X-W3C-Hub-Spam-Report: AWL=-3.331, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1UUWXz-0005zD-Ct a193074cb84a150025f1feee0ebedcc0
X-Original-To: ietf-http-wg@w3.org
Subject: Re: p1: additional security considerations
Archived-At: <http://www.w3.org/mid/071385B9-5E81-4E71-82B7-20E0DA7C1A24@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/17485
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On 23/04/2013, at 4:15 PM, Willy Tarreau <w@1wt.eu> wrote:

> On Tue, Apr 23, 2013 at 04:02:22PM +1000, Mark Nottingham wrote:
>> Just wondering if we need to explicitly point out the security considerations
>> around the following:
>> 
>> * Message routing -- it's somewhat common AIUI for intermediaries to only
>> route on the Host header, for performance reasons; i.e., they do not
>> reconstruct the effective request URI (as required by p1 5.5). I know there's
>> a theoretical risk here, but is there a real-world risk that we should point
>> out?
> 
> I see no particular risk since the Host header field is mandatory. Also in
> practice, intermediaries which "route" requests tend to be very close to
> the servers, at places where the security considerations are very specific
> to the environment and explicitly covered in this intermediary's configuration.

That's what I was wondering. What concerned me was that people deploy load balancers in front of proxies, and virus scanners, etc. I don't have a specific attack in mind, it just feels like there probably is one.


> Maybe we should point one thing though, which is not related to intermediaries
> but all recipients in general : recipients of a request message which consider
> the Host header field to decide about what content to serve must ensure of its
> unicity before serving the request. Otherwise the risk is that an intermediary
> could use a first instance to route the request and that a server would use the
> last one for example.
> 
>> * Message delimitation - the consequences for getting message delimitation
>> wrong (whether it's regarding multiple content-length headers, processing 1xx
>> responses correctly, etc.) are now well-understood. Should we point it out
>> explicitly in SC?
> 
> Yes I think that's important to add something about this, especially since
> I discovered a few weeks ago a "security" product which was able to "fix"
> badly chunked data ! It was quite scary to imagine that an improperly chunked
> content which could possibly contain whatever is needed to embed different
> contents could be converted to whatever this component considered valid by
> skipping undesired data before chunk lengths and recomposing new valid ones!
> It looks like some developers don't understand the security implications of
> their choices.
> 
> Cheers,
> Willy
> 

--
Mark Nottingham   http://www.mnot.net/