W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Content security model

From: Phillip Hallam-Baker <hallam@gmail.com>
Date: Wed, 25 Jul 2012 20:13:36 -0400
Message-ID: <CAMm+LwjRdcndFF0-t5PGWoKbTsfd9-Lnsn0RB=cStsLdQiLZWA@mail.gmail.com>
To: James French <jfrench@denirostaff.com>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
As I said, if the content type matters then it really needs to be
considered a part of the content rather than something that
intermediaries have a right to meddle with.

Similarly, if A passes a message to B which 'modifies it' and then
passes 'the message' to C, well, it isn't there are two completely
separate messages from a security point of view, one between A-B and a
second completely different set of content between B-C.

The only way that a message can flow through B with 'modification' in
a meaningful sense is if the message is a composite message and the
parts that have been modified are separated from the parts that remain
constant. So for example, I submit a purchase order to the local
enterprise service which appends a second message with a promise of
payment. The vendor receives two separate signed blobs, one for the
bill of goods, another for the payment promise.



On Wed, Jul 25, 2012 at 6:41 PM, James French <jfrench@denirostaff.com> wrote:
> It occurs to me that a man-in-the-middle could change a Content-Type
> header to trick a web service into a delivering scripted data.
>
> 1.) MITM uploads script.jpg to https2://legit-host/script.jpg
> 2.) Client requests /script.jpg from legit-host
> 3.) legit-host signs and delivers script.jpg with a Content-Type of: image/jpg
> 4.) MITM changes Content-Type header from image/jpg to text/html
> 5.) Client runs script.jpg with the permissions level of a script
> running on legit-host
>
> It's unlikely that this scenario would come up in practice, but it
> does exist as a hypothetical vector.
>
> On Wed, Jul 25, 2012 at 9:59 AM, Phillip Hallam-Baker <hallam@gmail.com> wrote:
>>
>>
>> 3) HTTP security controls should only secure content. Signing headers
>> is not only difficult, it is often counterproductive. If a Web service
>> depends on information in a header there is probably something wrong
>>



-- 
Website: http://hallambaker.com/
Received on Thursday, 26 July 2012 00:14:03 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 July 2012 00:14:09 GMT