Re: p1: additional security considerations

Mark Nottingham <> Tue, 23 April 2013 06:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 25C8921F966B for <>; Mon, 22 Apr 2013 23:18:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.505
X-Spam-Status: No, score=-10.505 tagged_above=-999 required=5 tests=[AWL=0.094, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Gi0C9nenlKGY for <>; Mon, 22 Apr 2013 23:18:04 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 83EB421F965F for <>; Mon, 22 Apr 2013 23:18:04 -0700 (PDT)
Received: from lists by with local (Exim 4.72) (envelope-from <>) id 1UUWY3-0000v9-UD for; Tue, 23 Apr 2013 06:17:51 +0000
Resent-Date: Tue, 23 Apr 2013 06:17:51 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtp (Exim 4.72) (envelope-from <>) id 1UUWY0-0000uF-Bw for; Tue, 23 Apr 2013 06:17:48 +0000
Received: from ([]) by with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <>) id 1UUWXz-0005zD-Ct for; Tue, 23 Apr 2013 06:17:48 +0000
Received: from [] (unknown []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id B0A8C509B5; Tue, 23 Apr 2013 02:17:25 -0400 (EDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Mark Nottingham <>
In-Reply-To: <>
Date: Tue, 23 Apr 2013 16:17:22 +1000
Cc: " Group" <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: Willy Tarreau <>
X-Mailer: Apple Mail (2.1503)
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-3.3
X-W3C-Hub-Spam-Report: AWL=-3.331, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: 1UUWXz-0005zD-Ct a193074cb84a150025f1feee0ebedcc0
Subject: Re: p1: additional security considerations
Archived-At: <>
X-Mailing-List: <> archive/latest/17485
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On 23/04/2013, at 4:15 PM, Willy Tarreau <> wrote:

> On Tue, Apr 23, 2013 at 04:02:22PM +1000, Mark Nottingham wrote:
>> Just wondering if we need to explicitly point out the security considerations
>> around the following:
>> * Message routing -- it's somewhat common AIUI for intermediaries to only
>> route on the Host header, for performance reasons; i.e., they do not
>> reconstruct the effective request URI (as required by p1 5.5). I know there's
>> a theoretical risk here, but is there a real-world risk that we should point
>> out?
> I see no particular risk since the Host header field is mandatory. Also in
> practice, intermediaries which "route" requests tend to be very close to
> the servers, at places where the security considerations are very specific
> to the environment and explicitly covered in this intermediary's configuration.

That's what I was wondering. What concerned me was that people deploy load balancers in front of proxies, and virus scanners, etc. I don't have a specific attack in mind, it just feels like there probably is one.

> Maybe we should point one thing though, which is not related to intermediaries
> but all recipients in general : recipients of a request message which consider
> the Host header field to decide about what content to serve must ensure of its
> unicity before serving the request. Otherwise the risk is that an intermediary
> could use a first instance to route the request and that a server would use the
> last one for example.
>> * Message delimitation - the consequences for getting message delimitation
>> wrong (whether it's regarding multiple content-length headers, processing 1xx
>> responses correctly, etc.) are now well-understood. Should we point it out
>> explicitly in SC?
> Yes I think that's important to add something about this, especially since
> I discovered a few weeks ago a "security" product which was able to "fix"
> badly chunked data ! It was quite scary to imagine that an improperly chunked
> content which could possibly contain whatever is needed to embed different
> contents could be converted to whatever this component considered valid by
> skipping undesired data before chunk lengths and recomposing new valid ones!
> It looks like some developers don't understand the security implications of
> their choices.
> Cheers,
> Willy

Mark Nottingham