- From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
- Date: Mon, 24 Feb 2014 14:32:10 +0200
- To: Mikael Abrahamsson <swmike@swm.pp.se>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Mon, Feb 24, 2014 at 01:18:04PM +0100, Mikael Abrahamsson wrote:
> On Mon, 24 Feb 2014, Ilari Liusvaara wrote:
>
> >Encrypting arbitrary data in upstream direction is doable.
> >Question is, what can be encrypted without causing smuggling
> >issues.
>
> I'd guess as soon as encryption is employed, smuggling is always
> possible. But if the proxy owner wants for instance to emply
> whitelists of what sites are allowed then hopefully this whitelist
> would only allow sites where smuggling is unlikely.
I mean things like:
:method GET
:scheme http
:path /some/innocent/path
:authority foo.example
<...>
Encrypted {
:path /porn-stash/
User-Agent: foobar/1.0
Accept-Encoding: identity, gzip, deflate, bzip2, xz
<...>
}
Note two :path headers.
Or:
:method GET
:scheme http
:path /some/innocent/path
:authority foo.example
<...>
Encrypted {
User-Agent: foobar/1.0
Accept-Encoding: identity, gzip, deflate, bzip2, xz
<...>
<End of request>
:method GET
:scheme http
:path /porn-stash/
:authority foo.example
<...>
}
Where entiere request is smuggled.
-Ilari
Received on Monday, 24 February 2014 12:32:34 UTC