W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2021

Re: Attack research on HTTP/2 implementations

From: Eric J Bowman <mellowmutt@zoho.com>
Date: Fri, 06 Aug 2021 00:09:27 -0700
To: "Toerless Eckert" <tte@cs.fau.de>
Cc: "Martin Thomson" <mt@lowentropy.net>, "ietf-http-wg" <ietf-http-wg@w3.org>
Message-Id: <17b1a4b9882.b7b5331c13901.7754520385370436499@zoho.com>
---- On Thu, 05 Aug 2021 19:31:01 -0700 Toerless Eckert <tte@cs.fau.de> wrote ----


IMHO, there is a limit in how far even the best pure specification 
of DO/DONT's can go in creating perfect code. When developers 
would be able to more easily read "how to build exploits against bad implementations" 
before starting their implementation, i am sure that would go further 
in creating better implementations than the best spec alone.


 ------------------





After a decade-long gap in webserver coding, I was almost overwhelmed catching up with all the new exploits I'd neither considered nor heard of before. But that's exactly what's delayed my hobby webserver project, and why I'd like to see an HTTP spec that isn't bound to any underlying stack, accompanied by a BCP for input validation/sanitation.



My solution is a very HTTP-like protocol bound to SCTP, in a server that switches requests based on file permissions. I call it Montage (MONT) protocol, it's back-end -- CDN nodes (if I build my own lol) take any HTTP request and convert to MONT -- a MONT browser would need another layer on the stack (UDP-SCTP) to get around the port 80/443 problem but I don't care. HTTP "DELETE" method is "DE" in MONT, chmod'ing an existing resource to 0000 -- responds 202 followed by 410. Files set to 0000 only accept (if permitted and authenticated) LN (link or maybe REstore) with 205, or RP (replace aka PUT) with 201, followed by 200 OK. 0444 for robots.txt, 0555 for dynamic content, 0666 for .js / .css / .jpg and whatnot.



So the file permissions assigned to any URI (or URI pattern) dictate available methods, in conjunction with authentication. To guide me, I've taken a cleaver to obsolete aspects of HTTP and a scalpel to its bindings and stitched up something useful, at least to myself. Kind of a mishmash of HTTP, what little I can discern about Waka, a touch of FTP, WebDAV, Gopher and Veronica, and extensive perusal of open-source httpd communication methods to create a monster that's impervious to downgrade, injection, and smuggling attacks *by design*.



Montage is no snowflake. It's 90% cribbed from HTTP 1.1. I think the problems have more to do with implementations than protocol specs. I'm just changing the bindings from TCP/SPDY/QUIC to SCTP for back-end communication, it would be nice to have a "generic" HTTP that gives said approach its blessing. Versatile nonetheless, given the inherent nature of the Web (as defined by REST).



-Eric
Received on Friday, 6 August 2021 07:09:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 6 August 2021 07:10:00 UTC