Re: [Masque] HTTP Upgrade Request Smuggling Draft

Hi Ben, and thanks for writing this up.

Your draft contains three normative statements:

1) Clients MUST NOT send connect-udp data optimistically in HTTP versions <
2.

-- This solves the security issue that this document describes and is a
good improvement to RFC 9298.

2) HTTP/1.1 clients MAY reuse connections if the Upgrade header is missing
from a failure response.

-- This is a premature performance optimization that is specific to
HTTP/1.1 so I would remove it. It could lead to security issues down the
road and I'm not aware of any need for such an optimization. Deployments
that care about performance use HTTP/2 or 3.

3) Future specs MUST think about this.

-- This is fine. Requirements on future specifications are always weak
because such specifications can always update this document to work around
them, but telling authors to think about this is useful.

David


On Mon, Aug 21, 2023 at 12:53 PM Ben Schwartz <bemasc=
40meta.com@dmarc.ietf.org> wrote:

> Hi HTTPBIS + MASQUE,
>
> In HTTPBIS at IETF 117, I mentioned some issues related to "optimistic"
> use of HTTP Upgrade and a theoretical Request Smuggling issue with
> connect-udp in HTTP/1.1.  Several commenters suggested that I write a
> separate draft on that topic, which I've now done:
>
> Security Considerations for Optimistic Use of HTTP Upgrade
>
> https://datatracker.ietf.org/doc/html/draft-schwartz-httpbis-optimistic-upgrade-00
>
> Abstract: "The HTTP/1.1 Upgrade mechanism allows the client to request a
> change to a new protocol. This document discusses the security
> considerations that apply to data sent by the client before this request is
> confirmed, and updates RFC 9298 to avoid related security issues."
>
> Please review.
>
> --Ben Schwartz
> --
> Masque mailing list
> Masque@ietf.org
> https://www.ietf.org/mailman/listinfo/masque
>