Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06 until April-9
Marsh Ray <marsh@extendedsubset.com> Mon, 19 March 2012 17:05 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3307021F8852 for <websec@ietfa.amsl.com>; Mon, 19 Mar 2012 10:05:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.574
X-Spam-Level:
X-Spam-Status: No, score=-2.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LV1lO2EVkAmN for <websec@ietfa.amsl.com>; Mon, 19 Mar 2012 10:05:07 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by ietfa.amsl.com (Postfix) with ESMTP id 9458521F884F for <websec@ietf.org>; Mon, 19 Mar 2012 10:05:07 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.72) (envelope-from <marsh@extendedsubset.com>) id 1S9g14-000G7v-76; Mon, 19 Mar 2012 17:05:06 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id B39CA6081; Mon, 19 Mar 2012 17:05:04 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX193lfibhIt0DiIuz0ZhCIbj0jLB+0p59zg=
Message-ID: <4F676740.2040509@extendedsubset.com>
Date: Mon, 19 Mar 2012 12:05:04 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.27) Gecko/20120216 Thunderbird/3.1.19
MIME-Version: 1.0
To: Julian Reschke <julian.reschke@gmx.de>
References: <4F66623F.9000300@gondrom.org> <4F66FDF1.9090306@gmx.de>
In-Reply-To: <4F66FDF1.9090306@gmx.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: websec@ietf.org
Subject: Re: [websec] WG Last Call on draft-ietf-websec-strict-transport-sec-06 until April-9
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2012 17:05:08 -0000
On 03/19/2012 04:35 AM, Julian Reschke wrote: > I'd like to point out that I still think my concerns over the > inconsistent use of quoted-string > (<http://www.ietf.org/mail-archive/web/websec/current/msg01044.html>) > are valid and not addressed; and I think they should be before you go to > IETF LC. As a developer at a company which makes a product that makes security decisions based on parsing HTTP headers I find Julian's concerns, well, concerning. While we don't currently operate on this specific header, ambiguities in how an application server will interpret minor variations on header values often become opportunities for an attacker to bypass security measures. For example, a "web application firewall" (WAF) may be configured to forbid certain values of a customer-specified header. When new headers don't follow consistent syntactic rules, it takes away a bit of the developer's ability to simply things for his customer. Again, I'm not claiming to be an expert on this particular header and clearly it's a difficult issue with arguments for doing it both ways. But I would ask that everyone try their best to find the least-bad alternative with an emphasis on consistency with the rest of HTTP. - Marsh
- [websec] WG Last Call on draft-ietf-websec-strict… Tobias Gondrom
- Re: [websec] WG Last Call on draft-ietf-websec-st… Julian Reschke
- Re: [websec] WG Last Call on draft-ietf-websec-st… Marsh Ray
- Re: [websec] WG Last Call on draft-ietf-websec-st… Tobias Gondrom
- Re: [websec] WG Last Call on draft-ietf-websec-st… Alexey Melnikov
- Re: [websec] WG Last Call on draft-ietf-websec-st… SM
- Re: [websec] WG Last Call on draft-ietf-websec-st… Julian Reschke
- Re: [websec] WG Last Call on draft-ietf-websec-st… Paul Hoffman
- Re: [websec] WG Last Call on draft-ietf-websec-st… Yoav Nir
- Re: [websec] WG Last Call on draft-ietf-websec-st… Paul Hoffman
- Re: [websec] WG Last Call on draft-ietf-websec-st… Paul Hoffman
- Re: [websec] WG Last Call on draft-ietf-websec-st… Alexey Melnikov
- Re: [websec] WG Last Call on draft-ietf-websec-st… Tobias Gondrom