W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

Retrying failed POSTs [was: Retry safety of HTTP requests]

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 24 Mar 2016 10:08:53 +1100
Cc: Erik Nygren <erik@nygren.org>
Message-Id: <39276984-AF3F-445F-A6C6-33844834D79D@mnot.net>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On 24 Mar 2016, at 5:37 AM, Erik Nygren <erik@nygren.org> wrote:
> 
> This post on attacks against POST retries in HTTPS is also worth reading
> for those who haven't seen it:
> 
>          http://blog.valverde.me/2015/12/07/bad-life-advice/#.VvLe6rMpDmE
> 
> (I was a little surprised to see that the behavior of browsers had shifted
> over the years to transparently retry POSTs over broken connections by default.)

Very interesting indeed. One can easily imagine an attack; e.g., a captive portal asks for online payment, and gets paid twice.

The advice to use a CSRF token is good, but it's pretty obvious that it's not being followed consistently or well (although maybe it's good enough in the places where it most matters, e.g., online payments). 

Regardless, it seems like we should either change the implementations, or change the spec. 

Cheers,

--
Mark Nottingham   https://www.mnot.net/
Received on Wednesday, 23 March 2016 23:09:22 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 23 March 2016 23:09:25 UTC