W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2013

Re: Adding Security Considerations regarding interception to p1

From: Mark Nottingham <mnot@mnot.net>
Date: Fri, 20 Sep 2013 15:14:27 +1000
Cc: Mike Belshe <mike@belshe.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "Roy T. Fielding" <fielding@gbiv.com>, IETF HTTP WG <ietf-http-wg@w3.org>
Message-Id: <7A11F4F7-86DF-48DA-99AC-C81FD30FA8E4@mnot.net>
To: Willy Tarreau <w@1wt.eu>

On 20/09/2013, at 3:10 PM, Willy Tarreau <w@1wt.eu> wrote:
> Then what do you think about just describing the current state without
> giving any guidance about how to protect, so that the reader informs
> himself on the subject if he feels concerned ?

Personally - I think that'd be a big improvement over saying nothing. However, AIUI the security folks like to see a listing of both threats *and* mitigations for them. Stephen?

The second proposal I made (copied below) tried to make it clear that while TLS might help, it's not a panacea. Are you still against it? Would adding further qualifications about TLS help?




Common use of HTTP often contains a considerable amount of sensitive data; this might include cookies [RFC6265], application data, and even patterns of access.

When used without encryption, HTTP makes this data vulnerable to passive interception. There are known instances when third parties have exploited the in-the-clear nature of "http://" URIs to obtain sensitive information, for a variety of purposes. Use of TLS [RFC2818] can help to mitigate such passive interception attacks. Note that TLS itself has many modes of use with different security properties, and there are currently known attacks against server authentication in "https://" URIs.

Moreover, like other clear text protocols, HTTP/1.1 is subject to an active man-in-the-middle attack.  That is, it is possible for an intermediary
device to terminate a client TCP connection and respond as if it had the IP address of the intended HTTP server.  An attacker may insert or delete content or redirect the client to a completely different web site.  Using TLS [RFC2818] may or may not mitigate this form of attack, depending on the client and individual behaviors. 


Mark Nottingham   http://www.mnot.net/
Received on Friday, 20 September 2013 05:15:01 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:15 UTC