Re: [quicwg/base-drafts] QPACK security considerations (#3575)

[Martin Thomson <notifications@github.com>]

@martinthomson approved this pull request.

This looks good.  But then I'm not impartial in this.

An informative reference to HPACK might be wise.  Otherwise people might get an unexplained sense of déjà vu.

> +
+The compression context used to encode header fields can be probed by an
+attacker who can both define header fields to be encoded and transmitted and
+observe the length of those fields once they are encoded. When an attacker can
+do both, they can adaptively modify requests in order to confirm guesses about
+the dynamic table state. If a guess is compressed into a shorter length, the
+attacker can observe the encoded length and infer that the guess was correct.
+
+This is possible even over the Transport Layer Security Protocol (TLS, see
+{{?RFC5246}}), because while TLS provides confidentiality protection for
+content, it only provides a limited amount of protection for the length of that
+content.
+
+Note:
+
+Padding schemes only provide limited protection against an attacker with these

```suggestion
: Padding schemes only provide limited protection against an attacker with these
```

> +
+Users of HTTP that require confidentiality for header fields can use values with
+entropy sufficient to make guessing infeasible. However, this is impractical as
+a general solution because it forces all users of HTTP to take steps to mitigate
+attacks. It would impose new constraints on how HTTP is used.
+
+Rather than impose constraints on users of HTTP, an implementation of QPACK can
+instead constrain how compression is applied in order to limit the potential for
+dynamic table probing.
+
+An ideal solution segregates access to the dynamic table based on the entity
+that is constructing header fields. Header field values that are added to the
+table are attributed to an entity, and only the entity that created a particular
+value can extract that value.
+
+To improve compression performance of tqhis option, certain entries might be tagged as being public. For example, a web browser might make the values of the Accept-Encoding header field available in all requests.

```suggestion
To improve compression performance of this option, certain entries might be
tagged as being public. For example, a web browser might make the values of the
Accept-Encoding header field available in all requests.
```

> +An ideal solution segregates access to the dynamic table based on the entity
+that is constructing header fields. Header field values that are added to the
+table are attributed to an entity, and only the entity that created a particular
+value can extract that value.
+
+To improve compression performance of tqhis option, certain entries might be tagged as being public. For example, a web browser might make the values of the Accept-Encoding header field available in all requests.
+
+An encoder without good knowledge of the provenance of header fields might
+instead introduce a penalty for a header field with many different values, such
+that a large number of attempts to guess a header field value results in the
+header field no more being compared to the dynamic table entries in future
+messages, effectively preventing further guesses.
+
+Note:
+
+Simply removing entries corresponding to the header field from the dynamic table

```suggestion
: Simply removing entries corresponding to the header field from the dynamic table
```

> +that a large number of attempts to guess a header field value results in the
+header field no more being compared to the dynamic table entries in future
+messages, effectively preventing further guesses.

```suggestion
that a large number of attempts to guess a header field value results in the
header field not being compared to the dynamic table entries in future
messages, effectively preventing further guesses.
```

I had a little trouble with "no more".

> +field value. Marking a header field as not using the dynamic table any more
+might occur for shorter values more quickly or with higher probability than for
+longer values.

```suggestion
field value. Disabling access to the dynamic table for a header field might
occur for shorter values more quickly or with higher probability than for longer
values.
```

> +values with low entropy.
+
+An encoder might also choose not to index values for header fields that are
+considered to be highly valuable or sensitive to recovery, such as the Cookie or
+Authorization header fields.
+
+On the contrary, an encoder might prefer indexing values for header fields that
+have little or no value if they were exposed. For instance, a User-Agent header
+field does not commonly vary between requests and is sent to any server. In that
+case, confirmation that a particular User-Agent value has been used provides
+little value.
+
+Note that these criteria for deciding to use a never indexed literal
+representation will evolve over time as new attacks are discovered.
+
+##. Static Huffman Encoding

```suggestion
## Static Huffman Encoding
```

> +On the contrary, an encoder might prefer indexing values for header fields that
+have little or no value if they were exposed. For instance, a User-Agent header
+field does not commonly vary between requests and is sent to any server. In that
+case, confirmation that a particular User-Agent value has been used provides
+little value.
+
+Note that these criteria for deciding to use a never indexed literal
+representation will evolve over time as new attacks are discovered.
+
+##. Static Huffman Encoding
+
+There is no currently known attack against a static Huffman encoding. A study
+has shown that using a static Huffman encoding table created an information
+leakage, however this same study concluded that an attacker could not take
+advantage of this information leakage to recover any meaningful amount of
+information (see [PETAL]).

Want to point out that QPACK uses the same Huffman table as HPACK?

> +designed to limit both the peak and state amounts of memory allocated by an
+endpoint.

```suggestion
designed to limit both the peak and stable amounts of memory allocated by an
endpoint.
```

> +has shown that using a static Huffman encoding table created an information
+leakage, however this same study concluded that an attacker could not take
+advantage of this information leakage to recover any meaningful amount of
+information (see [PETAL]).
+
+## Memory Consumption
+
+An attacker can try to cause an endpoint to exhaust its memory. QPACK is
+designed to limit both the peak and state amounts of memory allocated by an
+endpoint.
+
+The amount of memory used by the compressor is limited by the protocol using
+QPACK through the definition of the maximum size of the dynamic table, and the
+maximum number of blocking streams. In HTTP/3, these values are controlled by
+the decoder through the setting parameter QPACK_MAX_TABLE_CAPACITY and
+QPACK_BLOCKED_STREAMS, respectively (see Section

```suggestion
QPACK_BLOCKED_STREAMS, respectively (see
```

> +maximum number of blocking streams. In HTTP/3, these values are controlled by
+the decoder through the setting parameter QPACK_MAX_TABLE_CAPACITY and
+QPACK_BLOCKED_STREAMS, respectively (see Section
+{{maximum-dynamic-table-capacity}} and {{blocked-streams}}). The limit on the
+size of the dynamic table takes into account both the size of the data stored in
+the dynamic table, plus a small allowance for overhead.  The limit on the number
+of blocked streams is only a proxy for the maximum amount of memory required by
+the decoder.  The actual maximum amount of memory will depend on how much memory
+the decoder uses to track each blocked stream.
+
+A decoder can limit the amount of state memory used for the dynamic table by
+setting an appropriate value for the maximum size of the dynamic table. In
+HTTP/3, this is realized by setting an appropriate value for the
+QPACK_MAX_TABLE_CAPACITY parameter. An encoder can limit the amount of state
+memory it uses by signaling lower dynamic table size than the decoder allows
+(see {{eviction}}).  A decoder can limit the amount of state memory used for

```suggestion
(see {{eviction}}).

A decoder can limit the amount of state memory used for
```

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/pull/3575#pullrequestreview-392536154