Re: [quicwg/base-drafts] Request forgery attacks (#3995)

Kazuho Oku <notifications@github.com> Fri, 14 August 2020 02:58 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 285A83A0C4C for <quic-issues@ietfa.amsl.com>; Thu, 13 Aug 2020 19:58:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.554
X-Spam-Level:
X-Spam-Status: No, score=-1.554 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_20=1.546, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uDJ3s7BuVoKt for <quic-issues@ietfa.amsl.com>; Thu, 13 Aug 2020 19:58:01 -0700 (PDT)
Received: from out-18.smtp.github.com (out-18.smtp.github.com [192.30.252.201]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6BD83A0C49 for <quic-issues@ietf.org>; Thu, 13 Aug 2020 19:58:01 -0700 (PDT)
Received: from github-lowworker-56fcc46.va3-iad.github.net (github-lowworker-56fcc46.va3-iad.github.net [10.48.102.32]) by smtp.github.com (Postfix) with ESMTP id CAA8C340076 for <quic-issues@ietf.org>; Thu, 13 Aug 2020 19:58:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1597373880; bh=J83fiQkiY6Z8+v5gNuC5G43fsei7k5qDpi0ZJ8Lz9xU=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=Y06Bb3Mi2QuMdgtt8QlnMa17bIhCdEd8ebALMmO+KTSMjz9hKYd8JN4jZ2OnIZDsx CIlPNI5tVL0o73UzNdn4HSy3ezPOIVhIuX82r2vg6kx7IwaywWvcAnakgcA6k9ksKE u2ZkiHHkiGeei+A6obYmoqnuefUWu1Pum1IAf0WA=
Date: Thu, 13 Aug 2020 19:58:00 -0700
From: Kazuho Oku <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK3HTVMXZSF4B4W4R7F5IHPLREVBNHHCQYGADU@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/3995/673855484@github.com>
In-Reply-To: <quicwg/base-drafts/issues/3995@github.com>
References: <quicwg/base-drafts/issues/3995@github.com>
Subject: Re: [quicwg/base-drafts] Request forgery attacks (#3995)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f35fdb8b9b0d_654319641398f4"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/d3F86EtZb-BrqLNO4w2qE36_gv0>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2020 02:58:03 -0000

I tend to agree with what @martinthomson says.

Among those two alternatives, masking (or re-encoding) might be a better solution. But as I stated on the mailing list, that does not need to happen now. We can wait and see if that's necessary, and if it turns out to be, define an extension for that purpose.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/3995#issuecomment-673855484