Re: [hybi] Draft 13 - a bit too historical about the masking debate
Willy Tarreau <w@1wt.eu> Thu, 01 September 2011 05:53 UTC
Return-Path: <w@1wt.eu>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EBBA21F8B31 for <hybi@ietfa.amsl.com>; Wed, 31 Aug 2011 22:53:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.106
X-Spam-Level:
X-Spam-Status: No, score=-4.106 tagged_above=-999 required=5 tests=[AWL=-2.063, BAYES_00=-2.599, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fqpdwC614NPF for <hybi@ietfa.amsl.com>; Wed, 31 Aug 2011 22:53:11 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by ietfa.amsl.com (Postfix) with ESMTP id 03DF021F8B30 for <hybi@ietf.org>; Wed, 31 Aug 2011 22:53:10 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id p815sbho004987; Thu, 1 Sep 2011 07:54:37 +0200
Date: Thu, 01 Sep 2011 07:54:37 +0200
From: Willy Tarreau <w@1wt.eu>
To: Greg Wilkins <gregw@intalio.com>
Message-ID: <20110901055437.GS2075@1wt.eu>
References: <CAH_y2NE1qbADKXNLkixc5MEPyQ5-zwLNH55Y6n_gSQn5Mxgh4A@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAH_y2NE1qbADKXNLkixc5MEPyQ5-zwLNH55Y6n_gSQn5Mxgh4A@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Draft 13 - a bit too historical about the masking debate
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Sep 2011 05:53:12 -0000
Hi Greg, On Thu, Sep 01, 2011 at 12:02:05PM +1000, Greg Wilkins wrote: > Draft 13 contains a lot of text about the reasons for masking. That > must not have been easy to write and for the most part it reads well. > However I'm not sure we should go into so much detail about the > history of the disagreements and the process. Specifically I think > the following paragraph: > > To avoid such attacks on deployed intermediaries, the working group > decided to adopt a solution that would provably protect against such > attacks. There were many proposed solutions that people argued > "should" protect against the above attacks, such as adding in more > random data and null bytes to the handshake, starting each frame with > a byte that has the first (highest order) bit set such that the data > appears to be non-ASCII, and so forth, but in the end none of these > solutions were provably secure. The deployed intermediaries were > already not conforming to existing specifications, and given that we > can't possibly enumerate all of the ways in which such > nonconformities could exhibit themselves and that we cannot > exhaustively discover and test each nonconformant intermediary > against each possible attack, there was consensus to adopt an > approach that did not require people to reason about how > nonconformant intermediaries might behave. Namely, the working group > decided to mask all data from the client to the server, so that the > remote script (attacker) does not have control over how the data > being sent appears on the wire, and thus cannot construct a message > that could be mis- interpreted by an intermediary as an HTTP request. > > > could be changed to to something like > > To provably avoid such attacks on deployed intermediaries, it is not > sufficient to prefix application supplied data with framing that is not > compliant HTTP, as it is not possible to exhaustively discover and test > that each nonconformant intermediary does not skip such non HTTP > framing and act incorrectly on the frame payload. Thus the defence > adopted is to mask all data from the client to the server, so that the > remote script (attacker) does not have control over how the data being > sent appears on the wire, and thus cannot construct a message that > could be misinterpreted by an intermediary as an HTTP request. Well, I have nothing against the original version, but yours looks fine to me too and is shorter. One thing I like in the first one is that it insists more on convincing the reader that there's no point claiming that this masking is stupid and useless. But we probably don't really care what people will think once the draft is released anyway. Willy
- [hybi] Draft 13 - a bit too historical about the … Greg Wilkins
- Re: [hybi] Draft 13 - a bit too historical about … Willy Tarreau
- Re: [hybi] Draft 13 - a bit too historical about … Alexey Melnikov