W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Re: new version trusted-proxy20 draft

From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Date: Mon, 24 Feb 2014 14:32:10 +0200
To: Mikael Abrahamsson <swmike@swm.pp.se>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20140224123210.GA18136@LK-Perkele-VII>
On Mon, Feb 24, 2014 at 01:18:04PM +0100, Mikael Abrahamsson wrote:
> On Mon, 24 Feb 2014, Ilari Liusvaara wrote:
> 
> >Encrypting arbitrary data in upstream direction is doable.
> >Question is, what can be encrypted without causing smuggling
> >issues.
> 
> I'd guess as soon as encryption is employed, smuggling is always
> possible. But if the proxy owner wants for instance to emply
> whitelists of what sites are allowed then hopefully this whitelist
> would only allow sites where smuggling is unlikely.

I mean things like:

:method GET
:scheme http
:path /some/innocent/path
:authority foo.example
<...>
Encrypted {
:path /porn-stash/
User-Agent: foobar/1.0
Accept-Encoding: identity, gzip, deflate, bzip2, xz
<...>
}

Note two :path headers.

Or:

:method GET
:scheme http
:path /some/innocent/path
:authority foo.example
<...>
Encrypted {
User-Agent: foobar/1.0
Accept-Encoding: identity, gzip, deflate, bzip2, xz
<...>
<End of request>
:method GET
:scheme http
:path /porn-stash/
:authority foo.example
<...>
}

Where entiere request is smuggled.


-Ilari
Received on Monday, 24 February 2014 12:32:34 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:24 UTC