Retrying failed POSTs [was: Retry safety of HTTP requests]

On 24 Mar 2016, at 5:37 AM, Erik Nygren <erik@nygren.org> wrote:
> 
> This post on attacks against POST retries in HTTPS is also worth reading
> for those who haven't seen it:
> 
>          http://blog.valverde.me/2015/12/07/bad-life-advice/#.VvLe6rMpDmE
> 
> (I was a little surprised to see that the behavior of browsers had shifted
> over the years to transparently retry POSTs over broken connections by default.)

Very interesting indeed. One can easily imagine an attack; e.g., a captive portal asks for online payment, and gets paid twice.

The advice to use a CSRF token is good, but it's pretty obvious that it's not being followed consistently or well (although maybe it's good enough in the places where it most matters, e.g., online payments). 

Regardless, it seems like we should either change the implementations, or change the spec. 

Cheers,

--
Mark Nottingham   https://www.mnot.net/

Received on Wednesday, 23 March 2016 23:09:22 UTC