Re: new version trusted-proxy20 draft

On Mon, Feb 24, 2014 at 01:18:04PM +0100, Mikael Abrahamsson wrote:
> On Mon, 24 Feb 2014, Ilari Liusvaara wrote:
> 
> >Encrypting arbitrary data in upstream direction is doable.
> >Question is, what can be encrypted without causing smuggling
> >issues.
> 
> I'd guess as soon as encryption is employed, smuggling is always
> possible. But if the proxy owner wants for instance to emply
> whitelists of what sites are allowed then hopefully this whitelist
> would only allow sites where smuggling is unlikely.

I mean things like:

:method GET
:scheme http
:path /some/innocent/path
:authority foo.example
<...>
Encrypted {
:path /porn-stash/
User-Agent: foobar/1.0
Accept-Encoding: identity, gzip, deflate, bzip2, xz
<...>
}

Note two :path headers.

Or:

:method GET
:scheme http
:path /some/innocent/path
:authority foo.example
<...>
Encrypted {
User-Agent: foobar/1.0
Accept-Encoding: identity, gzip, deflate, bzip2, xz
<...>
<End of request>
:method GET
:scheme http
:path /porn-stash/
:authority foo.example
<...>
}

Where entiere request is smuggled.


-Ilari

Received on Monday, 24 February 2014 12:32:34 UTC