W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2009

Re: CERT VU#435052 - intercepting proxy vulnerability

From: Roy T. Fielding <fielding@gbiv.com>
Date: Mon, 23 Feb 2009 17:53:15 -0800
Message-Id: <FA2F0FBA-29BE-40F1-8949-2FBA2CC6428B@gbiv.com>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
To: Mark Nottingham <mnot@yahoo-inc.com>
On Feb 23, 2009, at 3:42 PM, Mark Nottingham wrote:

> See:
>   http://www.kb.cert.org/vuls/id/435052
>
> From an HTTP perspective, there are a number of potential reactions;
>
> 1) intercepting proxies are bad; we told you so!
>
> 2) we should accommodate intercepting proxies in HTTPbis, because  
> they're a reality.
>
> 2a) we should note this type of attack in Security Considerations,  
> and more strongly recommend that clients send an absolute URI on  
> the request-line, even when not using a configured proxy.
>
> Just food for thought...

3) This report blames intercepting proxies for reading and acting
upon the HTTP stream instead of blaming browsers for sending an
HTTP message that contradicts its routing via TCP/IP.  I would think
that the fix is to plug the apparent (unconfirmed) security hole in
the browsers that allows plug-ins to set the value of Host independent
of the requested URI.  What's up with that?

Expecting an intercepting proxy to have access to the TCP/IP
information (as believed by the client) and be able to compare it
to the DNS records of the Host (as believed by the proxy) doesn't
seem likely to work given what we know about DNS.

Fixing the browser bug, OTOH, would work.

....Roy
Received on Tuesday, 24 February 2009 01:53:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:01 GMT