- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 11 Aug 2021 12:13:45 +1000
- To: Roman Danyliw <rdd@cert.org>
- Cc: The IESG <iesg@ietf.org>, httpbis-chairs@ietf.org, HTTP Working Group <ietf-http-wg@w3.org>, Tommy Pauly <tpauly@apple.com>
Hi Roman, > On 11 Aug 2021, at 8:28 am, Roman Danyliw via Datatracker <noreply@ietf.org> wrote: > > ** Is there further guidance that can be provided to inform the tradeoff > between operational and security considerations? > > (a) Section 2 says “While these parameters are OPTIONAL, caches are encouraged > to provide as much information as possible.” > > (b) Section 6 says “Attackers can use the information in Cache-Status to probe > the > behaviour of the cache (and other components), and infer the activity > of those using the cache. The Cache-Status header field may not > create these risks on its own, but can assist attackers in exploiting > them. > > For example, knowing if a cache has stored a response can help an > attacker execute a timing attack on sensitive data. Exposing the > cache key can help an attacker understand modifications to the cache > key, which may assist cache poisoning attacks. See [ENTANGLE] for > details.” > > On the one hand, the operational guidance in (a) seems to be saying share as > much as you can to support debugging. However, the security considerations of > (b) reminds the reader that the presence these parameters can be exploited. Is > there any additional guidance that can be provided on how this tradeoff could > or should be made? It's a good question. I'm struggling to come up with anything, I suspect that's because the tradeoff is situational, depending upon the proxy's threat model, etc. If you (or anyone else) can come up with more specific text I'd be grateful. I've created <https://github.com/httpwg/http-extensions/issues/1598> to track this. Cheers, -- Mark Nottingham https://www.mnot.net/
Received on Wednesday, 11 August 2021 02:14:05 UTC