- From: Erik Nygren <nygren@gmail.com>
- Date: Sun, 19 Oct 2025 12:18:02 -0400
- To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
- Message-ID: <CAKC-DJiFM2i89siYYcpQzszw5etriYd8NiO8cKdP3=jsBkRJAw@mail.gmail.com>
I've submitted a new -00 draft for draft-nygren-httpbis-http11-request-binding: HTTP/1.1 Message Binding adds new hop-by-hop header fields that are cryptographically bound to requests and responses. The keys used are negotiated out-of-band from the HTTP datastream (such as via TLS Exporters). These header fields allow endpoints to detect and mitigate desynchronization attacks, such as HTTP Request Smuggling, that exist due to datastream handling differences. While it would be great if the entire world could switch to HTTP/2 and HTTP/3, that just isn't feasible as there are legacy HTTP/1.1 clients that need to be supported, as well as a large ecosystem of HTTP/1.1 Intermediaries and Origin Servers. This proposal provides a hop-by-hop defense mechanism that allows endpoints to defend HTTP/1.1 traffic against Request Smuggling attacks without fundamentally changing the HTTP/1.1 protocol, and in a way which can hopefully drop-in to auto-negotiate and "just work" to provide defenses. There are still quite a few different directions we could take the design, as discussed briefly in the draft, as well as some open issues around how particular details get implemented. Note that this is focused on H1. While H2 and H3 have streamids and other ways to convey information out-of-band, H1 lacks those. You can see this as a way of getting stream ID equivalents into H1 in a protected but minimally invasive manner. I'm looking forward to discussing this in Montreal in two weeks to see if this is something that other implementers (especially of Intermediaries and Origin Servers) would be interested in. I'd also be thrilled to add in one or more co-authors as this adds the most value if it is implemented and deployed by as many vendors and open source projects as possible. Best, Erik [try #3 at sending to the list, this time with a different email address] ---------- Forwarded message --------- From: <internet-drafts@ietf.org> Date: Thu, Oct 16, 2025 at 6:23 PM Subject: New Version Notification for draft-nygren-httpbis-http11-request-binding-00.txt To: Erik Nygren <erik+ietf@nygren.org>, Mike Bishop <mbishop@evequefou.be> A new version of Internet-Draft draft-nygren-httpbis-http11-request-binding-00.txt has been successfully submitted by Erik Nygren and posted to the IETF repository. Name: draft-nygren-httpbis-http11-request-binding Revision: 00 Title: HTTP/1.1 Request Smuggling Defense using Cryptographic Message Binding Date: 2025-10-16 Group: Individual Submission Pages: 15 URL: https://www.ietf.org/archive/id/draft-nygren-httpbis-http11-request-binding-00.txt Status: https://datatracker.ietf.org/doc/draft-nygren-httpbis-http11-request-binding/ HTML: https://www.ietf.org/archive/id/draft-nygren-httpbis-http11-request-binding-00.html HTMLized: https://datatracker.ietf.org/doc/html/draft-nygren-httpbis-http11-request-binding Abstract: HTTP/1.1 Message Binding adds new hop-by-hop header fields that are cryptographically bound to requests and responses. The keys used are negotiated out-of-band from the HTTP datastream (such as via TLS Exporters). These header fields allow endpoints to detect and mitigate desynchronization attacks, such as HTTP Request Smuggling, that exist due to datastream handling differences. The IETF Secretariat
Received on Monday, 20 October 2025 07:45:15 UTC