Re: MITM and proxy messages [was: Call for Adoption: draft-song-dns-wireformat-http]

On 8/08/2016 5:50 a.m., Kari hurtta wrote:
> https://lists.w3.org/Archives/Public/ietf-http-wg/2016JulSep/0390.html
> 
>> configured proxies are not the bug; why not just simpy use plain HTML?
>>
>> your sample chould then just be this simple:
>>
>> HTTP/1.1 403 Forbidden
>> Content-Type: text/html
>> Cache-Control: no-cache
>>
>> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>> <HTML>
> 
> Major browsers do not show this when they get
> that on response of CONNECT -request.
> 
> Bug 637619 - Display better error messages when HTTPS proxy servers return non-200 error codes 
> https://bugzilla.mozilla.org/show_bug.cgi?id=637619
> 

The more relevant and core issue here is #479880 (aka CVE-2009-1835).

Adams quick solution:
 <https://bugzilla.mozilla.org/show_bug.cgi?id=479880#c2>


Henriks solution:
 <https://bugzilla.mozilla.org/show_bug.cgi?id=479880#c75>


So would anyone authoring a browser care to explain why Adams quick-fix
is still being used today by all browsers and Henriks solution is
discarded out of hand on grounds of being "unsafe". For values of
"unsafe" which under close inspection turn out to be straw-man arguments
about this CVE existing when _neither_ soution is used.

If you notice the logic in comment #8 of that bug will also mean that
*any* payload on any type of response will be discarded on CONNECT. That
includes the Draft proposed JSON message body.

Amos

Received on Monday, 8 August 2016 19:34:30 UTC