Re: [hybi] Draft 13 - a bit too historical about the masking debate
Alexey Melnikov <alexey.melnikov@isode.com> Thu, 08 September 2011 16:51 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F9B921F85AA for <hybi@ietfa.amsl.com>; Thu, 8 Sep 2011 09:51:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.503
X-Spam-Level:
X-Spam-Status: No, score=-102.503 tagged_above=-999 required=5 tests=[AWL=0.096, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k-INP+K7CJf1 for <hybi@ietfa.amsl.com>; Thu, 8 Sep 2011 09:51:25 -0700 (PDT)
Received: from rufus.isode.com (rufus.isode.com [62.3.217.251]) by ietfa.amsl.com (Postfix) with ESMTP id A13CC21F84B9 for <hybi@ietf.org>; Thu, 8 Sep 2011 09:51:24 -0700 (PDT)
Received: from [192.168.1.124] ((unknown) [62.3.217.253]) by rufus.isode.com (submission channel) via TCP with ESMTPA id <Tmjy9wAZ1L5G@rufus.isode.com>; Thu, 8 Sep 2011 17:53:16 +0100
X-SMTP-Protocol-Errors: NORDNS
Message-ID: <4E68F2F2.3070004@isode.com>
Date: Thu, 08 Sep 2011 17:53:06 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915
X-Accept-Language: en-us, en
To: Greg Wilkins <gregw@intalio.com>
References: <CAH_y2NE1qbADKXNLkixc5MEPyQ5-zwLNH55Y6n_gSQn5Mxgh4A@mail.gmail.com>
In-Reply-To: <CAH_y2NE1qbADKXNLkixc5MEPyQ5-zwLNH55Y6n_gSQn5Mxgh4A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Hybi <hybi@ietf.org>
Subject: Re: [hybi] Draft 13 - a bit too historical about the masking debate
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2011 16:51:25 -0000
Greg Wilkins wrote: >Draft 13 contains a lot of text about the reasons for masking. That >must not have been easy to write and for the most part it reads well. >However I'm not sure we should go into so much detail about the >history of the disagreements and the process. Specifically I think >the following paragraph: > > To avoid such attacks on deployed intermediaries, the working group > decided to adopt a solution that would provably protect against such > attacks. There were many proposed solutions that people argued > "should" protect against the above attacks, such as adding in more > random data and null bytes to the handshake, starting each frame with > a byte that has the first (highest order) bit set such that the data > appears to be non-ASCII, and so forth, but in the end none of these > solutions were provably secure. The deployed intermediaries were > already not conforming to existing specifications, and given that we > can't possibly enumerate all of the ways in which such > nonconformities could exhibit themselves and that we cannot > exhaustively discover and test each nonconformant intermediary > against each possible attack, there was consensus to adopt an > approach that did not require people to reason about how > nonconformant intermediaries might behave. Namely, the working group > decided to mask all data from the client to the server, so that the > remote script (attacker) does not have control over how the data > being sent appears on the wire, and thus cannot construct a message > that could be mis- interpreted by an intermediary as an HTTP request. > > >could be changed to to something like > > To provably avoid such attacks on deployed intermediaries, it is not > sufficient to prefix application supplied data with framing that is not > compliant HTTP, as it is not possible to exhaustively discover and test > that each nonconformant intermediary does not skip such non HTTP > framing and act incorrectly on the frame payload. Thus the defence > adopted is to mask all data from the client to the server, so that the > remote script (attacker) does not have control over how the data being > sent appears on the wire, and thus cannot construct a message that > could be misinterpreted by an intermediary as an HTTP request. > As there seems to be some support for your text, it will appear in the next revision.
- [hybi] Draft 13 - a bit too historical about the … Greg Wilkins
- Re: [hybi] Draft 13 - a bit too historical about … Willy Tarreau
- Re: [hybi] Draft 13 - a bit too historical about … Alexey Melnikov