W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2014

HPACK security considerations

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 10 Jun 2014 17:12:04 -0700
Message-ID: <CABkgnnVb2G_totYtD_orqwxeupwNcXNmG+VQR2dRg7VsEeSC5A@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
I just opened https://github.com/http2/http2-spec/pull/517

It's a fairly comprehensive rework of the security considerations
section, which - in my opinion - was a mite too optimistic.  The new
proposal includes coverage of:

* the attack in the general sense,
* how the attack might apply in HPACK and HTTP,
* particular areas of concern,
* how HPACK inherently mitigates these attacks,
* what environments might need additional mitigation, and
* some suggested mitigation strategies.

Mitigation strategies that I have described are:

* actor-based isolation (a generalized application of the origin
isolation principle)
* destroy values on failed guesses (thanks here to Adam Barth for the
idea), either probabilistically, or based on a count, with a
recommendation that shorter values be made harder to guess
* specific protection for "special" header fields

--Martin
Received on Wednesday, 11 June 2014 00:12:31 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:31 UTC