Fwd: Gen-Art review of draft-ietf-httpbis-p2-semantics-24 with security considerations from Julian Reschke on 2013-11-18 (ietf-http-wg@w3.org from October to December 2013)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Mon, 18 Nov 2013 17:29:35 +0100
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <528A406F.6020105@gmx.de>
(FYI)


-------- Original Message --------
Subject: Gen-Art review of draft-ietf-httpbis-p2-semantics-24 with 
security considerations
Date: Mon, 18 Nov 2013 10:58:46 -0500
From: Moriarty, Kathleen <kathleen.moriarty@emc.com>
To: gen-art@ietf.org <gen-art@ietf.org>, iesg@ietf.org <iesg@ietf.org>, 
        draft-ietf-httpbis-p2-semantics.all@ietf.org 
<draft-ietf-httpbis-p2-semantics.all@ietf.org>
CC: fielding@gbiv.com <fielding@gbiv.com>, 
julian.reschke@greenbytes.de <julian.reschke@greenbytes.de>

I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at

<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.

Please resolve these comments along with any other Last Call comments
you may receive.

Document: draft-ietf-httpbis-p2-semantics-24
Reviewer: Kathleen Moriarty
Review Date: November 18, 2013
IETF LC End Date: End of November
IESG Telechat date: (if known)

Summary:  The document has a number of run-on sentences that should be 
fixed.  I also found some security considerations that should be added 
to the document or referenced in other documents if they have been 
addressed.

Major issues:

Minor issues:  Security Considerations

Section 9.3:  You may want to include information that informs 
developers and users of SQL injection attacks.  Fields are still 
included in some URIs that link you to pages directly that contain 
personal information using consistent identifiers.  It would be helpful 
as this is still one of the biggest attack vectors.  A quick search on 
SQL injection URL will provide additional information for inclusion in 
the write up.  You mention GET-based forms in section 9.3, but it 
doesn't mention SQL injection attacks and information in the URIs. 
Since this is so prevalent still, I think it is important to call out 
explicitly.

Section 9.4: HTTP User-Agent strings are also used within enterprise at 
a firewall or by  web servers to prevent the use of outdated browsers, 
ones with known security issues.  Since this section informs of the 
negative uses, this one would be important to include to provide a 
broader picture of how they may be used in a security context.

User-agent strings are also used in threat detection as there may be a 
modification to a User-Agent string that helps incident response teams 
identify malware or comprised browsers.

Section 9 should also cover Man-in-the-middle and session hijacking 
attacks or point to a security consideration section that covers 
transport security considerations (authentication, encryption, logging, 
etc.).  If that is covered in another document, please state that and 
provide a link.  It would be worth including a reference within the 
introduction of 9 to Part 1 on Messaging Security Considerations, 
draft-ietf-httpbis-p1-messaging-17 as well.


Nits/editorial comments:

Section 1, second sentence:
No comma necessary before "via"
HTTP provides a uniform interface for interacting with a resource
    (Section 2), regardless of its type, nature, or implementation via
    the manipulation and transfer of representations

Section 3, paragraph 1, consider breaking the first sentence into two.

Second paragraph, break into multiple sentences.

Section 3.1.1.3:
Remove unnecessary comma after parse, change from:
An HTTP
    sender MAY generate, and a recipient MUST be able to parse, line
    breaks in text media that consist of CRLF, bare CR, or bare LF.
To: An HTTP
    sender MAY generate, and a recipient MUST be able to parse line
    breaks in text media that consist of CRLF, bare CR, or bare LF.

Section 3.1.4.1
Break #4 down into multiple sentences or a structure that is easier to 
parse.

Section 3.1.4.2: Several sentences are way too long, please consider 
breaking them into multiple sentences.

Section 3.3, paragraph 2, Break the second sentence into multiple 
sentences.  This could be listed as two examples without the comparison 
statement.

Section 3.4, last sentence,
While I appreciate the reference and found it humorous, this reference 
may not be easily understood by an international audience.  I suggest 
that you explain the recommendation in plain text, followed by the 
reference to reach all audiences.

Section 3.4.1, please break the last sentence into multiple sentences.

Section 3.4.2, please break the second to last paragraph into multiple 
sentences.

Section 4 starts using the word ought.  SHOULD would be more appropriate 
if that is what is intended as the statements refer to IANA actions and 
would be better read with well-defined terms.

Section 4.2.2, please break the second to last sentence into multiple 
sentences.

Section 4.3.4, several run-on sentences should be broken into multiple 
sentences.

Section 4.3.5, please break the 3rd to last paragraph into multiple 
sentences.

Second to last and the last paragraph on page 35 should be broken into 
multiple sentences.

Note at end of page 38 should be broken into multiple sentences.

Last sentence on page 42 should be broken into multiple sentences.

Section 6.3.1, remove carriage return after "The" in first line.

Last sentence of page 53, please break into multiple sentences.

6.4.1.  First sentence should be broken into a couple.

6.4.4 Use of word 'ought' sounds odd in this sentence:
In order to satisfy the
    original request, a user agent ought to perform a retrieval request
    using the Location URI (a GET or HEAD request if using HTTP), which
    can itself be redirected further, and present the eventual result as
    an answer to the original request.
How about this instead:
In order to satisfy the
    original request, a user agent can perform a retrieval request
    using the Location URI (a GET or HEAD request if using HTTP), which
    can itself be redirected further, and present the eventual result as
    an answer to the original request.

Section 7.1.4: Please break the first sentence of the second and last 
paragraphs into multiple sentences.


Section 9.6 has a few run-on sentences, please break them up --  First 
sentence of 4th paragraph for instance.

Last paragraph: I'd like to see a SHOULD in the first sentence to make 
this stronger, otherwise, there is no hope it will happen.  I'm not even 
sure how the user could be informed of loss of privacy considerations if 
it is not built in, this is a tough approach and I don't see it being 
effective for most users.  If this is configurable at the time of 
browser installation, would you recommend that there is a series of 
prompts that inform the user about each choice or did you have something 
else in mind?  An example may help here to actually see something happen 
as a result of the recommendation.


Thank you,
Kathleen
Received on Monday, 18 November 2013 16:30:09 UTC