IETF Logo Mail Archive

Re: [websec] mimesniff feedback, part 2

Adam Barth <ietf@adambarth.com> Sun, 08 January 2012 20:46 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8413D21F8505 for <websec@ietfa.amsl.com>; Sun, 8 Jan 2012 12:46:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[AWL=-1.228, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E4Lt2bSWR7Ow for <websec@ietfa.amsl.com>; Sun, 8 Jan 2012 12:46:23 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id 9B4A621F851C for <websec@ietf.org>; Sun, 8 Jan 2012 12:46:23 -0800 (PST)
Received: by iabz21 with SMTP id z21so6281119iab.31 for <websec@ietf.org>; Sun, 08 Jan 2012 12:46:23 -0800 (PST)
Received: by 10.43.53.1 with SMTP id vo1mr16407389icb.2.1326055583289; Sun, 08 Jan 2012 12:46:23 -0800 (PST)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by mx.google.com with ESMTPS id he16sm33201483ibb.9.2012.01.08.12.46.22 (version=SSLv3 cipher=OTHER); Sun, 08 Jan 2012 12:46:22 -0800 (PST)
Received: by iabz21 with SMTP id z21so6281100iab.31 for <websec@ietf.org>; Sun, 08 Jan 2012 12:46:22 -0800 (PST)
Received: by 10.50.170.73 with SMTP id ak9mr6895180igc.17.1326055582082; Sun, 08 Jan 2012 12:46:22 -0800 (PST)
MIME-Version: 1.0
Received: by 10.231.62.139 with HTTP; Sun, 8 Jan 2012 12:45:51 -0800 (PST)
In-Reply-To: <C68CB012D9182D408CED7B884F441D4D06123B4E44@nambxv01a.corp.adobe.com>
References: <op.v5icng1csr6mfa@kirk> <CAJE5ia81jBN1hmpUG-0fupHd=XfcWwxJZKN1sbZ2PkuSZmvOcA@mail.gmail.com> <4ED0E230.3010507@gmx.de> <CAJE5ia9Eh76vyiithc5VOrb1hRufC=hH604qrB5Nsiz=DsGgNw@mail.gmail.com> <C68CB012D9182D408CED7B884F441D4D0612042673@nambxv01a.corp.adobe.com> <4F068031.3080906@gondrom.org> <C68CB012D9182D408CED7B884F441D4D06123B4CA4@nambxv01a.corp.adobe.com> <CAJE5ia-Ay6KGrG51BneeQN-3usA+DY-hUw-hfEjhvoBnArvLWg@mail.gmail.com> <C68CB012D9182D408CED7B884F441D4D06123B4E44@nambxv01a.corp.adobe.com>
From: Adam Barth <ietf@adambarth.com>
Date: Sun, 08 Jan 2012 12:45:51 -0800
Message-ID: <CAJE5ia-_cF=zNjChxh8Hxnx6L37UOODp0Z-AStvO54v56xSh=w@mail.gmail.com>
To: Larry Masinter <masinter@adobe.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "IETF WebSec WG (websec@ietf.org)" <websec@ietf.org>
Subject: Re: [websec] mimesniff feedback, part 2
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jan 2012 20:46:24 -0000

On Sun, Jan 8, 2012 at 7:49 AM, Larry Masinter <masinter@adobe.com> wrote:
> I've started on editing the sniffing document in earnest.
>
> Foolishly, I started going through it from the beginning.  Here's a take at the Abstract to make the scope clearer:
>
>      <t>HTTP provides a way of labeling content with its
>      Content-Type, an indication of the file format / language by
>      which the content is to be interpreted.  Unfortunately, many web
>      servers, as deployed, supply incorrect Content-Type header
>      fields with their HTTP responses.  In order to be compatible
>      with these servers, web clients would consider the content of
>      HTTP responses as well as the Content-Type header fields when
>      determining how the content was interpreted (the "effective
>      media type").  Looking at content to determine its type (aka
>      "sniffing") is also used when no Content-Type header is
>      supplied.  Overly ambitious sniffing has resulted in a number of
>      security issues in the past.  This document specifies methods
>      and options for computing an effective media type, in a way that
>      addresses both security and compatibility considerations.
>      It also discusses the use of sniffing in contexts other than
>      delivery of content via HTTP.
>      </t>
>
> I wanted to address the scope by making it clear that the scope of the document included sniffing outside of content delivered via HTTP.
>
> *** Shouldn't sniffed content have a different origin than the content as labeled?  The only "privilege upgrade" that I've come across seem to be cross-origin ones.

Nope.  Browsers would not be able to implement that because it would
break too many web sites.

> *** Is sniffing used by servers when clients use file-upload? Doe web servers do sniffing on content to decide what media type to label the content with? Or is sniffing really only scoped  to apply to web browsers?

That seems out of scope for this document.  This is a document for user agents.

>    <section anchor="intro" title="Introduction">
>
>      <t>HTTP provides a way of labeling content with its
>      Content-Type, as an indication of the file format / language by
>      which the content is to be interpreted.  Unfortunately, many web
>      servers, as deployed, supply incorrect Content-Type header
>      fields with their HTTP responses.  In order to be compatible
>      with these servers, web clients would consider the content of
>      HTTP responses as well as the Content-Type header fields when
>      determining how the content was interpreted (the "effective
>      media type").  Looking at content to determine its type (aka
>      "sniffing") is also used when no Content-Type header is
>      supplied.</t>
>
> I tried to introduce "effective media type" as it was used before defined.
>
> Where is the term "privilege escalation", as used in this document, defined?
>
> http://en.wikipedia.org/wiki/Privilege_escalation
>
> defines the term in general, and then at the end mentions a couple of examples under
>
> ===============begin Wikipedia quote ===========================
> "Examples of horizontal privilege escalation"
>
> This problem often occurs in web applications. Consider the following example:
> User A has access to his/her bank account in an Internet Banking application.
> User B has access to his/her bank account in the same Internet Banking application.
> The vulnerability occurs when User A is able to access User B's bank account by performing some sort of malicious activity.
> This malicious activity may be possible due to common web application weaknesses or vulnerabilities.
> Potential web application vulnerabilities or situations that may lead to this condition include:
> * Predictable session ID's in the user's HTTP cookie
> * Session fixation
> * Cross-site Scripting
> * Easily guessable passwords
> * Theft or hijacking of session cookies
> * Keystroke logging
> ===============end Wikipedia quote ==========================
>
> But there are no mentions there of sniffing is a source of privilege escalation.

Sure, but just because the wikipedia article for privilege escalation
doesn't call out sniffing an example doesn't mean that it isn't an
example.

>  Surely since this is the main use case the specification is intended to mitigate, shouldn't it be described somewhere?

It's just a general term of art.  If you like, we can add a reference
to Section 3.3 of RFC 6454.

> The examples given in passing in the document seem to be XSS attacks (which would be mitigated merely by giving sniffed content a different unique origin, wouldn't it?)

Not in all case, but that's not going to happen, so it's somewhat irrelevant.

> The  abstract implies there might be other attacks too...  are there? what are they?

There are other attacks, but XSS is the most important one.  I'd
rather the reader focused on XSS because that's easiest to understand.

Adam

v2.23.0 | Report a Bug | By Email