- From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
- Date: Mon, 24 Feb 2014 14:32:10 +0200
- To: Mikael Abrahamsson <swmike@swm.pp.se>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Mon, Feb 24, 2014 at 01:18:04PM +0100, Mikael Abrahamsson wrote: > On Mon, 24 Feb 2014, Ilari Liusvaara wrote: > > >Encrypting arbitrary data in upstream direction is doable. > >Question is, what can be encrypted without causing smuggling > >issues. > > I'd guess as soon as encryption is employed, smuggling is always > possible. But if the proxy owner wants for instance to emply > whitelists of what sites are allowed then hopefully this whitelist > would only allow sites where smuggling is unlikely. I mean things like: :method GET :scheme http :path /some/innocent/path :authority foo.example <...> Encrypted { :path /porn-stash/ User-Agent: foobar/1.0 Accept-Encoding: identity, gzip, deflate, bzip2, xz <...> } Note two :path headers. Or: :method GET :scheme http :path /some/innocent/path :authority foo.example <...> Encrypted { User-Agent: foobar/1.0 Accept-Encoding: identity, gzip, deflate, bzip2, xz <...> <End of request> :method GET :scheme http :path /porn-stash/ :authority foo.example <...> } Where entiere request is smuggled. -Ilari
Received on Monday, 24 February 2014 12:32:34 UTC