Re: [quicwg/base-drafts] Document request forgery (#3996)

Martin Thomson <> Tue, 01 September 2020 07:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 31A603A0D7A for <>; Tue, 1 Sep 2020 00:54:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.697
X-Spam-Status: No, score=-1.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_28=1.404, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5Vb8wMOsGwNK for <>; Tue, 1 Sep 2020 00:54:09 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DB33A3A0D77 for <>; Tue, 1 Sep 2020 00:54:08 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CEAB234006F for <>; Tue, 1 Sep 2020 00:54:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=pf2014; t=1598946847; bh=FF3AoMX9QrHw4v0AwJ41NraGvCDKl7uUAAUiiOJHPWU=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=UP810L+fhHHBytWPqUCdnFywFe7kna9mmFBAR2ZVPk/btjF36f/EtSVhdi71Zm2G/ kJ5OkXmK/48x2wMvI7RcQuAkHNq3zQOLWE14St58uXcLRQU6JAHbDAWN2C16qq8ZJL I7prrJqawqcqoFUe25ahJrX05gZXaHXyxseTLlnM=
Date: Tue, 01 Sep 2020 00:54:07 -0700
From: Martin Thomson <>
Reply-To: quicwg/base-drafts <>
To: quicwg/base-drafts <>
Cc: Subscribed <>
Message-ID: <quicwg/base-drafts/pull/3996/review/>
In-Reply-To: <quicwg/base-drafts/pull/>
References: <quicwg/base-drafts/pull/>
Subject: Re: [quicwg/base-drafts] Document request forgery (#3996)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f4dfe1fbed85_71401964395397"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
Archived-At: <>
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 01 Sep 2020 07:54:10 -0000

@martinthomson commented on this pull request.

> +what packets the peer sends and where these packets are sent. If an attacker
+can target a vulnerable service with a controlled payload, that service might
+perform actions that are attributed to the attacker's peer, but decided by the
+For example, cross-site request forgery {{?CSRF=DOI.10.1145/1455770.1455782}}
+exploits on the Web cause a client to issue requests that include authorization
+cookies {{?COOKIE=RFC6265}}, allowing one site access to information and
+actions that are intended to be restricted to a different site.
+As QUIC runs over UDP, the primary attack modality of concern is one where an
+attacker can select the address to which its peer sends UDP datagrams and can
+control some of the unprotected content of those packets. As much of the data
+sent by QUIC endpoints is protected, this includes control over ciphertext. An
+attack is successful if an attacker can cause a peer to send a UDP datagram to
+a host that will perform some action based on content in the datagram.

The only place this adds a round trip is for a migration to a preferred address, but that only delays migration, it doesn't prevent the connection from being used.

You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub: