W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: HTTP/2: Another reason to find a safer encoding

From: James M Snell <jasnell@gmail.com>
Date: Tue, 31 Jul 2012 14:56:01 -0700
Message-ID: <CABP7RbeUeFo00+J7dknuqV0sgS=6Nh-BnUjuyRenAvg1wb+EEw@mail.gmail.com>
To: Willy Tarreau <w@1wt.eu>
Cc: ietf-http-wg@w3.org
Definitely a fascinating read and I can certainly relate to many of the
issues discussed. Reliable parsing within existing HTTP headers and the
request URI can be a significant source of pain. Encoding issues and
inconsistency between header definitions just makes matters that much
worse. Unfortunately, despite the significant security concern that such
issues represent (issues that I would argue are as significant, or in some
cases more significant than the question of mandatory TLS support) it would
be next to impossible to fix (or at least improve-upon) these various
issues without making significant modifications to existing HTTP/1.1
semantics. I'd very much like to see such changes made within 2.0, but I'm
afraid that I may be in the minority.

- James

On Tue, Jul 31, 2012 at 10:36 AM, Willy Tarreau <w@1wt.eu> wrote:

> Hi,
>
> Ivan Ristic recently presented a wide collection of methods to bypass
> web application firewalls using implementation differences in HTTP
> stacks :
>
>
> https://community.qualys.com/blogs/securitylabs/2012/07/25/protocol-level-evasion-of-web-application-firewalls
>
> While some of them have already been discussed to great extents, including
> here, I think it's worth a read and reminds us that we really need to
> address the ambiguities of request encoding if we want to make the web
> safer.
>
> Regards,
> Willy
>
>
>
Received on Tuesday, 31 July 2012 21:56:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 31 July 2012 21:56:55 GMT