Re: [quicwg/base-drafts] Document request forgery (#3996)
Mike Bishop <notifications@github.com> Wed, 19 August 2020 13:54 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7E103A0A6C for <quic-issues@ietfa.amsl.com>; Wed, 19 Aug 2020 06:54:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.697
X-Spam-Level:
X-Spam-Status: No, score=-1.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pVbfbzX74cI5 for <quic-issues@ietfa.amsl.com>; Wed, 19 Aug 2020 06:54:13 -0700 (PDT)
Received: from out-20.smtp.github.com (out-20.smtp.github.com [192.30.252.203]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34BE73A0A3A for <quic-issues@ietf.org>; Wed, 19 Aug 2020 06:54:13 -0700 (PDT)
Received: from github-lowworker-d93c4b6.va3-iad.github.net (github-lowworker-d93c4b6.va3-iad.github.net [10.48.17.47]) by smtp.github.com (Postfix) with ESMTP id 741C2E08CC for <quic-issues@ietf.org>; Wed, 19 Aug 2020 06:54:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1597845252; bh=USvPjc1sqh8mMFi0iRIxWJbN8dOC2zrA/XURQVK7BEg=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=A4dxuAZGgeLhOMpvgA/AhWtO4iItlt0ty2lK/nEVz6ru3eGv3wsS8tI8c6ruQ6ngx fEIJfUma4rOYlmG0Pi6cULOOgheupTKpSS6txjEd6DXlMuuTr8k9seGDG3Pnw5TWmZ VIx2ib9VyYHLNEiNcCByDJrVYbr4ORUOzu8/yqSs=
Date: Wed, 19 Aug 2020 06:54:12 -0700
From: Mike Bishop <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK4K7VOCVJ45FUX3P5F5JEIAJEVBNHHCQ3GPNU@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/pull/3996/review/470480408@github.com>
In-Reply-To: <quicwg/base-drafts/pull/3996@github.com>
References: <quicwg/base-drafts/pull/3996@github.com>
Subject: Re: [quicwg/base-drafts] Document request forgery (#3996)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f3d2f0464084_1ae4196436067"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: MikeBishop
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/d1iBi_4_-YsNVaHC5QJFSANO9QM>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Aug 2020 13:54:15 -0000
@MikeBishop commented on this pull request. > +the data sent by QUIC endpoints is protected, this includes control over +ciphertext. An attack is successful if an attacker can cause a peer to send a @janaiyengar, I agree with you that full control seems a little far-fetched, but depending on the protocol and the scenario, partial control seems really plausible. At the most basic, consider an echo service over QUIC; you have complete control over the contents of the STREAM frames the peer sends, and if you know the peer's implementation, the packet formation is likely predictable as well unless they deliberately randomize it. Couple that with victims who will skip junk bytes.... I think Martin's correct that, while no attacker will actually have 100% control over the ciphertext, which parts they do control will be difficult to guarantee. So we have to evaluate the attack as if they have control over all of it. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/pull/3996#discussion_r473046972
- [quicwg/base-drafts] Document request forgery (#3… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Kazuho Oku
- Re: [quicwg/base-drafts] Document request forgery… Christian Huitema
- Re: [quicwg/base-drafts] Document request forgery… Lucas Pardue
- Re: [quicwg/base-drafts] Document request forgery… Christian Huitema
- Re: [quicwg/base-drafts] Document request forgery… Christian Huitema
- Re: [quicwg/base-drafts] Document request forgery… Lucas Pardue
- Re: [quicwg/base-drafts] Document request forgery… Mike Bishop
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Igor Lubashev
- Re: [quicwg/base-drafts] Document request forgery… Igor Lubashev
- Re: [quicwg/base-drafts] Document request forgery… Mike Bishop
- Re: [quicwg/base-drafts] Document request forgery… Jana Iyengar
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Mike Bishop
- Re: [quicwg/base-drafts] Document request forgery… Mike Bishop
- Re: [quicwg/base-drafts] Document request forgery… Jana Iyengar
- Re: [quicwg/base-drafts] Document request forgery… Jana Iyengar
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Jana Iyengar
- Re: [quicwg/base-drafts] Document request forgery… Kazuho Oku
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Kazuho Oku
- Re: [quicwg/base-drafts] Document request forgery… ekr
- Re: [quicwg/base-drafts] Document request forgery… ekr
- Re: [quicwg/base-drafts] Document request forgery… David Schinazi
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… David Schinazi
- Re: [quicwg/base-drafts] Document request forgery… David Schinazi
- Re: [quicwg/base-drafts] Document request forgery… David Schinazi
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Martin Thomson
- Re: [quicwg/base-drafts] Document request forgery… Mike Bishop
- Re: [quicwg/base-drafts] Document request forgery… David Schinazi
- Re: [quicwg/base-drafts] Document request forgery… Jana Iyengar
- Re: [quicwg/base-drafts] Document request forgery… ianswett
- Re: [quicwg/base-drafts] Document request forgery… Jana Iyengar