Re: [hybi] #1: HTTP Compliance
Willy Tarreau <w@1wt.eu> Sun, 15 August 2010 13:57 UTC
Return-Path: <w@1wt.eu>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E888E3A67AF for <hybi@core3.amsl.com>; Sun, 15 Aug 2010 06:57:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.206
X-Spam-Level:
X-Spam-Status: No, score=-2.206 tagged_above=-999 required=5 tests=[AWL=-1.652, BAYES_05=-1.11, HELO_IS_SMALL6=0.556]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iYT0yIdvFbQM for <hybi@core3.amsl.com>; Sun, 15 Aug 2010 06:57:52 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by core3.amsl.com (Postfix) with ESMTP id 597BC3A677D for <hybi@ietf.org>; Sun, 15 Aug 2010 06:57:51 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id o7FDwKTk028265; Sun, 15 Aug 2010 15:58:20 +0200
Date: Sun, 15 Aug 2010 15:58:20 +0200
From: Willy Tarreau <w@1wt.eu>
To: Shelby Moore <shelby@coolpage.com>
Message-ID: <20100815135820.GE27614@1wt.eu>
References: <f7d4bb98e444b85b9bf1af6d4d9f0772.squirrel@sm.webmail.pair.com> <20100815100717.GA27614@1wt.eu> <1c2251f66b8d01880b6943561c07d3cb.squirrel@sm.webmail.pair.com> <20100815122648.GC27614@1wt.eu> <91f61d138b8a8a80271688a0e10a685a.squirrel@sm.webmail.pair.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <91f61d138b8a8a80271688a0e10a685a.squirrel@sm.webmail.pair.com>
User-Agent: Mutt/1.4.2.3i
Cc: hybi@ietf.org
Subject: Re: [hybi] #1: HTTP Compliance
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Aug 2010 13:57:54 -0000
On Sun, Aug 15, 2010 at 09:06:56AM -0400, Shelby Moore wrote: > I felt compelled to add my (what I feel is a more convincing) point to the > mix, because the security argument against the extra 8 bytes appears to be > weaker, because HTTP request smuggling already exists. > > http://www.owasp.org/index.php/HTTP_Request_Smuggling It only exists when servers are not cautious enough with dangerous inputs (eg: conflicting content-lengths). And it is a problem when two implementations decide differently how to interprete the request because the spec makes it ambiguous or does not cover the case. That's been addressed in http-bis, and now that there is some guidance so that everyone tries to do the same thing, we should not try to bring the issue back with WebSocket ! > And since I understand > that variable interpretationsinterpretations/implementations is critical > to HTTP robustness, then I conclude that "security" at the *transparent* > proxy is an oxymoron. I don't agree. First we're not talking about "transparent proxies" but reverse-proxies, that act as the server when seen by the client. There are many of them around you without you ever noticing. That makes them "transparent". They're generally quite robust, and most often they bring the security themselves because their HTTP stack is well polished and strict enough to protect the servers from issues that could result from poor implementation in the application. > A *transparent* proxy should never be used for > mission critical functions, It's quite the opposite. The more mission critical, the more of them you find because they bring protocol validation, security, filtering, load balancing, surge protection, content switching, etc... basically things you don't need to show your photos to your family, but that are needed everywhere applications are setup to serve tens to hundreds of thousands of concurrent clients. In fact, the unreliable components are mainly those which work on string matching in packets. Those do not rely on proxies and don't have a very robust state machine. They can easily be fooled in many ways with hand crafted requests. Some of them will already not be able to process the protocol upgrade and will likely hang or reset the connection. > Thus I don't think the security argument against proposal 76 is as > convincing. Feel free to correct me, as I am only using deductive logic > of what I have read today, and am not speaking as an expert in the field. It's not the security argument against draft 76. It's that draft 76 is not HTTP compliant and breaks with HTTP-compliant reverse proxies. The only dirty hack that could be imagined to make those reverse-proxies support it would not be acceptable in those reverse proxies because it's incompatible with HTTP and it would break their security. > > What is important is that if we make the websocket handshake pass through > > HTTP components, it must comply with the protocol. HTTP is clear on that: > > the protocol has switched *only once* the 101 has been seen. So a reverse > > proxy must not pass those 8 bytes before seeing the 101. > > Otherwise we defacto change HTTP for every HTTP Upgrade protocal > extension. We know we are changing HTTP, because the implementing server > or proxy has to implement a new code path for our Upgrade protocal > extension. No, as explained above, we must not do that because it opens a new can of holes. HTTP requires too much interoperability, it must not to be cross-dressed for every protocol pretending to rely on it. > >> It would be an exponentially increasing cost problem of interoperability > >> if every Upgrade protocol requires a new code path in the proxies. > > > > And it would not make sense at all since this would not be HTTP anymore. > > Agreed. Ditto I wrote above. I think we agree, it's just that you seem to be dismissing the security impacts of changing the way the HTTP Upgrade mechanism works, and I'd like to ensure that the issues are clear. Regards, Willy
- [hybi] #1: HTTP Compliance hybi issue tracker
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Maciej Stachowiak
- Re: [hybi] #1: HTTP Compliance Ian Hickson
- Re: [hybi] #1: HTTP Compliance Vladimir Katardjiev
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Maciej Stachowiak
- Re: [hybi] #1: HTTP Compliance Ian Hickson
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Julian Reschke
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Salvatore Loreto
- Re: [hybi] #1: HTTP Compliance Dave Cridland
- Re: [hybi] #1: HTTP Compliance Scott Ferguson
- Re: [hybi] #1: HTTP Compliance Maciej Stachowiak
- Re: [hybi] #1: HTTP Compliance Maciej Stachowiak
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Daniel Stenberg
- Re: [hybi] #1: HTTP Compliance Jamie Lokier
- Re: [hybi] #1: HTTP Compliance Bjoern Hoehrmann
- Re: [hybi] #1: HTTP Compliance Bjoern Hoehrmann
- Re: [hybi] #1: HTTP Compliance Ian Hickson
- Re: [hybi] #1: HTTP Compliance Jamie Lokier
- Re: [hybi] #1: HTTP Compliance Ian Hickson
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Jamie Lokier
- Re: [hybi] #1: HTTP Compliance Jamie Lokier
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Pieter Hintjens
- Re: [hybi] #1: HTTP Compliance Roberto Peon
- Re: [hybi] #1: HTTP Compliance Ian Hickson
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Jamie Lokier
- Re: [hybi] #1: HTTP Compliance Jamie Lokier
- Re: [hybi] #1: HTTP Compliance Scott Ferguson
- Re: [hybi] #1: HTTP Compliance Roberto Peon
- Re: [hybi] #1: HTTP Compliance Ian Hickson
- Re: [hybi] #1: HTTP Compliance John Tamplin
- Re: [hybi] #1: HTTP Compliance John Tamplin
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Roberto Peon
- Re: [hybi] #1: HTTP Compliance John Tamplin
- Re: [hybi] #1: HTTP Compliance Roberto Peon
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Roberto Peon
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Ian Hickson
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Jamie Lokier
- Re: [hybi] #1: HTTP Compliance Jamie Lokier
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Jamie Lokier
- Re: [hybi] #1: HTTP Compliance Jamie Lokier
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Ian Hickson
- Re: [hybi] #1: HTTP Compliance John Tamplin
- Re: [hybi] #1: HTTP Compliance Julian Reschke
- Re: [hybi] #1: HTTP Compliance Greg Wilkins
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Roberto Peon
- Re: [hybi] #1: HTTP Compliance Julian Reschke
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- [hybi] An input document (was: #1: HTTP Complianc… S Moonesamy
- Re: [hybi] #1: HTTP Compliance Shelby Moore
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance gustav trede
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Shelby Moore
- Re: [hybi] #1: HTTP Compliance gustav trede
- Re: [hybi] #1: HTTP Compliance Daniel Stenberg
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Shelby Moore
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Shelby Moore
- Re: [hybi] #1: HTTP Compliance Shelby Moore
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Shelby Moore
- Re: [hybi] #1: HTTP Compliance Adam Barth
- Re: [hybi] #1: HTTP Compliance L.Wood
- Re: [hybi] #1: HTTP Compliance Adam Barth
- Re: [hybi] #1: HTTP Compliance Julian Reschke
- [hybi] Objections (was: #1: HTTP Compliance) S Moonesamy
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Shelby Moore
- Re: [hybi] #1: HTTP Compliance Willy Tarreau
- Re: [hybi] #1: HTTP Compliance Shelby Moore
- Re: [hybi] #1: HTTP Compliance Greg Wilkins