IETF Logo Mail Archive

Re: [secdir] Review of draft-reschke-rfc2231-in-http-10.txt

Tero Kivinen <kivinen@iki.fi> Mon, 01 March 2010 12:53 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3E78728C2EB; Mon, 1 Mar 2010 04:53:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wsNVY3tVNqEh; Mon, 1 Mar 2010 04:53:06 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by core3.amsl.com (Postfix) with ESMTP id F226928C2EC; Mon, 1 Mar 2010 04:53:05 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id o21Cqwuq023516 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 1 Mar 2010 14:52:58 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id o21CqutG004784; Mon, 1 Mar 2010 14:52:56 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <19339.47272.515270.37133@fireball.kivinen.iki.fi>
Date: Mon, 01 Mar 2010 14:52:56 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Julian Reschke <julian.reschke@greenbytes.de>
In-Reply-To: <4B87D118.1090408@greenbytes.de>
References: <19335.45416.521059.570426@fireball.kivinen.iki.fi> <4B87D118.1090408@greenbytes.de>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 10 min
X-Total-Time: 9 min
Cc: httpbis-chairs@tools.ietf.org, Graham Klyne <GK@ninebynine.org>, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Review of draft-reschke-rfc2231-in-http-10.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2010 12:53:10 -0000

Julian Reschke writes:
> -- snip --
> 5.  Security Considerations
> 
>     The format described in this document makes it possible to transport
>     non-ASCII characters, and thus enables character "spoofing"
>     scenarios, in which a displayed value appears to be something other
>     than it is.
> 
>     Furthermore, there are known attack scenarios relating to decoding
>     UTF-8.
> 
>     See Section 10 of [RFC3629] for more information on both topics.
> -- snip --

I think that text adequately covers non-ASCII characters issues. 

> > I agree on this comment, and the security consideration section should
> > include text about the ability to character spoofing. Also as the
> > parameters can include different texts for different languages that
> > also offers another form of spoofing, for example the example the
> > title parameter used in the headers could include different titles for
> > different languages which could affect the way the user interprets it.
> >
> > As this document does not define any specific parameters, the actual
> > documents defining parameters using this format specified here should
> > include text about whether those spoofing attacks are possible and/or
> > meaningful. Having some generic text in this document explaining the
> > possible attacks, would make sure those documents include the text
> > needed.
> 
> I'm a bit reluctant to add more than I already have. After all, this 
> applies to *any* IETF spec that has proper I18N, so, in theory, 
> *everything* the IETF does that allows natural language text.

Yes, but the impact of them is different. For example it does not
really matter if the filename parameters having different languages
differ, but there might be parameters where this really matters.

As this document does not define any exact parameters, it might be
enough to comment something like that "This document specifies way to
transport multiple language variants for parameters, and such use
might allow spoofing attacks, where different language versions of the
same parameters do not match. Whether this attack is useful as an
attack depends on the parameter specified."

This way the one writing documents specifying parameters allowing
multiple languages and specifying some kind processing on them will
think whether this attack affects them or not.

> It would be really great if we had a document that summarized common 
> security considerations, so that "higher-level" specs could just point 
> to individual parts of these.

Such document would probably be so long that it would not be that
useful. I think listing exact security considerations specific for
this document in the security considerations section is better,
altough for background information pointing to another document (like
RFC 3629) is enough.

> For the spoofing issue I'm now pointing to RFC 3629 -- do you feel we 
> need more?

I am not really sure for what kind of parameters the different
language versions are used, so I cannot really comment whether there
can be security issues because of them.

If you are sure there cannot be any security issues because of them,
then you should say so. If you do do not know, then it is better to
mention here to make those who use them to think about the security
issues they might raise. 
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email