- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 11 Jun 2010 15:32:53 +0200
- To: Adrien de Croy <adrien@qbik.com>
- CC: Dan Winship <dan.winship@gmail.com>, Bil Corry <bil@corry.biz>, HTTP Working Group <ietf-http-wg@w3.org>, Michal Zalewski <lcamtuf@google.com>, Jeff Hodges <Jeff.Hodges@KingsMountain.com>, Adam Barth <ietf@adambarth.com>, "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
On 11.06.2010 15:24, Adrien de Croy wrote: > > I raised this problem a while back. > > All the browsers except Opera (limited case) make no complaint when a > download is truncated. This is whether it's chunked and doesn't receive > a final 0 chunk, or whether there's a content length and the connection > is closed (whether or not the server indicated it would close) prior to > that many bytes being transferred. > > I personally view this as highly problematic, and it's tied in with the > work I've been doing recently with scanning at a proxy. > > The reason it's problematic, is because every single proxy I've tested > (TMG/ISA, WinRoute, WinGate, Webmarshall - admittedly there are many > more) does something called either "drip-feeding" or "trickling". If > you're downloading a file through one of these proxies, they will send > you a portion of the resource as it's coming down to the proxy. When the > proxy has received the whole file, it scans it and sends the rest if > it's ok, but if it's not ok, it has 1 option only - abort the connection. > > Since the browsers ignore the connection having been aborted, and > present the downloaded file as if nothing was wrong, then any malware > purveyor need only pad their malware out, so that the executable part > will fall within the drip-feeding window. It basically renders AV at > gateway potentially useless. > > If OTOH the browsers were to act on the fact that the download was > aborted, this wouldn't be nearly as big a security risk. > > Regards > > Adrien +1 to all of this (the problem also applies to cases where the server breaks while sending the content). Do we have a test case for this? For the browsers that get this wrong, are there bug reports? Best regards, Julian
Received on Friday, 11 June 2010 13:33:36 UTC