Re: Call for Adoption: Encrypted Content Encoding from Cory Benfield on 2015-12-02 (ietf-http-wg@w3.org from October to December 2015)

From: Cory Benfield <cory@lukasa.co.uk>
Date: Wed, 2 Dec 2015 10:16:20 +0000
To: "Walter H." <Walter.H@mathemainzel.info>
Cc: ietf-http-wg@w3.org
Message-Id: <839F3097-52DA-477C-B61C-335C8240D864@lukasa.co.uk>

> On 1 Dec 2015, at 20:12, Walter H. <Walter.H@mathemainzel.info> wrote:
> 
> On 01.12.2015 16:14, Amos Jeffries wrote:
>> The question was how is encrypting using file-based methods safer than
>> encryption with this draft method. My conclusion: it is not.
> file-based methods won't get decrypted automatically without any mechanism on client side;
> this draft method does.

You’re right: without this draft the file-based methods won’t get decrypted, no. It’s worse: they get *executed*.

Decryption itself should not be a malware distribution vector. The only way it could be is if the decryption code itself is vulnerable to a code injection attack of some form (e.g. buffer overflow). That’s certainly *possible*, but it’s not standard practice.

However, user-agents automatically process plenty of file formats already. Chrome opens PDFs in an internal renderer: PDFs are a potential malware distribution vector. Internet Explorer can be configured to helpfully open whatever program is associated with a file format without user input. Safari will automatically decompress a ZIP file that it’s served. Frankly, if your concern is malware distribution then I highly recommend you ask browser authors to stop automatically executing content they download. (Good luck with that.)

If user-agents did not execute, but did transparently decrypt, all content, there would be no problem. The problem is trusting the decrypted content, and that risk already exists for the non-decrypted content you receive today. Plus, when I download a zip file from GitHub today, there’s no guaranteeing that a MITM box didn’t replace that zip file with one containing a malware-based payload. This new draft does provide me with that guarantee: only GitHub and I can tamper with that file.

Once again, I cannot stress this enough: this draft does not add any new malware distribution vector. It makes certain malware distribution vectors harder to use, and it makes certain malware detection methods potentially less effective. However, it also grants the possibility of data distribution with tightly controlled access, which is not possible on the web today.

Cory

Received on Wednesday, 2 December 2015 10:16:52 UTC