W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

RE: AD review of draft-ietf-httpbis-alt-svc-10

From: Mike Bishop <Michael.Bishop@microsoft.com>
Date: Tue, 12 Jan 2016 22:09:47 +0000
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Barry Leiba <barryleiba@computer.org>, Julian Reschke <julian.reschke@gmx.de>
CC: "draft-ietf-httpbis-alt-svc@ietf.org" <draft-ietf-httpbis-alt-svc@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <BN3PR03MB13677294EE2ABFE14D0A56D087CA0@BN3PR03MB1367.namprd03.prod.outlook.com>
More whether you're okay with that text as mitigation to this hypothetical attack:

http://users.example.com is a shared server which hosts user home pages.  Eve places a config file in her wwwpages directory to add an Alt-Svc header to pages served out of http://users.example.com/~eve announcing an alternative service for http://users.example.com on port 23412.  Bob is using an Alt-Svc-capable browser.  After Bob has visited http://users.example.com/~eve, he visits http://users.example.com/~alice.  His browser, obeying Eve's Alt-Svc header, accesses the alternative service on port 23412, where Eve is running a forward proxy that replaces all pages except her own with dancing hamsters.

The original mitigations proposed in the text were "prohibit normal users from setting the Alt-Svc header" (which is retroactive on pre-Alt-Svc servers) or "prohibit normal users from listening for incoming requests" (which is contrary to the security model of any shared machine I've used).  This scenario originally made me want to require strong auth on any change of endpoint, but that breaks the opportunistic security draft.  The current text, which I agree does very little, was as strong as we could think of a way to make it without breaking the way Opp-Sec wanted to work.

I haven't seen such a server since I was in college, so I don't know whether they still actually exist and run that way.  I presume they do, even if rare, but I have no data.

-----Original Message-----
From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] 
Sent: Tuesday, January 12, 2016 12:32 PM
To: Mike Bishop <Michael.Bishop@microsoft.com>; Barry Leiba <barryleiba@computer.org>; Julian Reschke <julian.reschke@gmx.de>
Cc: draft-ietf-httpbis-alt-svc@ietf.org; HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: AD review of draft-ietf-httpbis-alt-svc-10



On 11/01/16 16:45, Stephen Farrell wrote:
> 
> 
> On 11/01/16 16:34, Mike Bishop wrote:
>> Haven't heard back from Stephen on the port-change issue we wanted 
>> him to weigh in on; I sent him a reminder.
> 
> 2nd one worked:-)
> 
> Lemme go back and read the mail. Please hassle me if I've not gotten 
> back by tomorrow sometime

So as I understand it (thanks Barry), the issue is whether or not this text is ok:

  "Clients can reduce this risk by imposing
   stronger requirements (e.g. strong authentication) when moving from
   System Ports to User or Dynamic Ports, or from User Ports to Dynamic
   Ports, as defined in Section 6 of [RFC6335]."

FWIW, I have no problem with that. I'm not sure quite what it's telling a client to do, but I don't think there's much difference these days between lower numbered and higher numbered ports. (If that's wrong, I'm sure someone will correct me:-)

Note that I've not read the rest of the document, just that bit.

Cheers,
S.

> 
> Cheers,
> S.
> 
>>
>> -----Original Message----- From: barryleiba@gmail.com 
>> [mailto:barryleiba@gmail.com] On Behalf Of Barry Leiba Sent: Sunday, 
>> January 10, 2016 9:20 AM To: Julian Reschke <julian.reschke@gmx.de>
>> Cc: draft-ietf-httpbis-alt-svc@ietf.org; HTTP Working Group 
>> <ietf-http-wg@w3.org> Subject: Re: AD review of
>> draft-ietf-httpbis-alt-svc-10
>>
>>>>> I don't think this is a 2119 "MAY": what *else* can it do?  You 
>>>>> have no other guidance about which alternative alternative to 
>>>>> pick, so....  I think this should just say, "it chooses the most 
>>>>> suitable...."
>>>>
>>>> Agreed. I haven't changed that yet as it affects normative language 
>>>> but I will unless somebody wants to defend it soonish.
>>>
>>> <https://github.com/httpwg/http-extensions/commit/a9df1e33703a2cb46c

>>> 9b
>>>
>>>
> 441bfca5bbc04fff80d1>
>>
>> Nice.  Is this the last of the updates, or are we still working on 
>> any?  Whenever you're ready to post a new I-D version, I'll give it a 
>> check and request last call.
>>
>> Barry
>>
> 
> 
Received on Tuesday, 12 January 2016 22:10:16 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:10 UTC