Re: UPGRADE: 'HTTPS' header causing compatibility issues. from Adrian Hope-Bailie on 2015-06-30 (public-webappsec@w3.org from June 2015)

From: Adrian Hope-Bailie <adrian@hopebailie.com>
Date: Tue, 30 Jun 2015 11:18:18 +0200
To: "Nottingham, Mark" <mnotting@akamai.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CA+eFz_LRrOUYZH4-rFyZFovQ0ZED2i3pfHDbqNkHG1oHP8kHYw@mail.gmail.com>

I am aware of quite a few server-side technologies that define "server
variables" called HTTPS (IIS and PHP at least) and it would seem that with
the right combination of bad config and dicey application code it's pretty
easy to mix headers and server variables into the same global namespace.

https://crbug.com/501842 (the redirect to itself issue) suggests that the
application is trying to detect if it's receiving a request over HTTPS and
if so redirect to HTTP. The HTTPS:1 header probably tricks it into thinking
the request is over HTTPS.

I would suggest that it's simply the header name causing the issue and
changing to "TLS" or "HTTPS-Preferred" or similar will solve it.

On 30 June 2015 at 10:14, Nottingham, Mark <mnotting@akamai.com> wrote:

>
> > On 30 Jun 2015, at 5:36 pm, Mike West <mkwst@google.com> wrote:
> >
> > Chrome 44 sends an `HTTPS: 1` header, as specced at
> https://w3c.github.io/webappsec/specs/upgrade/#preference. It looks like
> this is causing issues with some folks' servers. These are the bugs I've
> seen reported so far:
> >
> > * https://crbug.com/501095
> > * https://crbug.com/501842
> > * https://crbug.com/504357
> >
> > My vague guess is that some configurations set internal variables based
> on header names (e.g. `HTTPS: 1` => `$HTTPS == 1`), which is confusing the
> poor programs.
>
> Nice!
>
> Given that CGI and most other sane server APIs put headers in a distinct
> namespace, this is a special kind of broken for those sites - I can only
> imagine what you can trick them into doing with a header...
>
>
> > With this in mind, I think it might be advisable to change the header
> name, which means diving back into the bikeshed of
> https://github.com/w3c/webappsec/issues/216. Think we can agree on a name
> this week?
> >
> > If we can't, I'll run with `TLS: 1` by royal fiat. :)
>
> WFM; although I kinda just want to break sites like this, I understand how
> you might not.
>
> Cheers,
>
> >
> > --
> > Mike West <mkwst@google.com>, @mikewest
> >
> > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
> Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft:
> Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores
> > (Sorry; I'm legally required to add this exciting detail to emails.
> Bleh.)
>
> --
> Mark Nottingham    mnot@akamai.com   https://www.mnot.net/
>
>

Received on Tuesday, 30 June 2015 09:18:50 UTC