Orie Steele's No Objection on draft-ietf-httpbis-optimistic-upgrade-05: (with COMMENT) from Orie Steele via Datatracker on 2025-09-16 (ietf-http-wg@w3.org from July to September 2025)

From: Orie Steele via Datatracker <noreply@ietf.org>
Date: Tue, 16 Sep 2025 14:18:35 -0700
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-httpbis-optimistic-upgrade@ietf.org, httpbis-chairs@ietf.org, ietf-http-wg@w3.org, tpauly@apple.com, tpauly@apple.com
Message-ID: <175805751582.1894175.2236663481085636973@dt-datatracker-f7c8fdcb7-pjx77>

Orie Steele has entered the following ballot position for
draft-ietf-httpbis-optimistic-upgrade-05: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
for more information about how to handle DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-httpbis-optimistic-upgrade/

----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

### Guidance for HTTP CONNECT

```
At the time of writing, some proxy clients are believed to be
vulnerable as described. As a mitigation, proxy servers MUST close
the underlying connection when rejecting a CONNECT request, without
processing any further requests on that connection, unless the client
is known to wait for a 2xx (Successful) response before forwarding
TCP payload data. This requirement applies whether or not the
request includes a "close" connection option.

Note that this mitigation will frequently impair the performance of
correctly implemented clients, especially when returning a 407 (Proxy
Authentication Required) response. This performance loss can be
avoided by using HTTP/2 or HTTP/3, which are not vulnerable to this
attack.
```

I'm struggling with the phrasing of this.

I'd try to reduce the optionality here, perhaps something like:

```
As a mitigation, proxy servers MUST close
the underlying connection when rejecting a CONNECT request, without
processing any further requests on that connection, unless the client
is known to wait for a 2xx (Successful) response before forwarding
TCP payload data.

At the time of writing, some proxy clients are believed to be
vulnerable unless this mitigation is provided.

This mitigation impairs performance, and HTTP/2 or HTTP/3 should be used instead when possible.
```

Received on Tuesday, 16 September 2025 21:18:39 UTC