Re: HTTP/1.1 Request Smuggling Defense using Cryptographic Message Binding (new draft) from Ben Schwartz on 2025-10-22 (ietf-http-wg@w3.org from October to December 2025)

From: Ben Schwartz <bemasc@meta.com>
Date: Wed, 22 Oct 2025 17:44:30 +0000
To: Erik Nygren <nygren@gmail.com>
CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <DS0PR15MB56748181FB4966FA4C3F31ADB3F3A@DS0PR15MB5674.namprd15.prod.outlook.com>

________________________________
From: Erik Nygren <nygren@gmail.com>
Sent: Wednesday, October 22, 2025 11:34 AM

>> D. Define new header fields to demarcate the header section (e.g. "Begin-Headers: (unpredictable value) ... End-Headers: (same value)").  This could be extended to cross-check the header in various ways (e.g. enumerating the payload length of each header field).

...

> It's also possible that with that we could switch from HMAC-SHA256(key,serial) to something like a keyed PRNG then?

Yes, but I was thinking of just using /dev/urandom.

> For example, don't make the serial explicit but instead have it implicit and use:

> Begin-Headers: Crypto-PRNG(key, serial*2)
> End-Headers: Crypto-PRNG(key, serial*2+1)

Why do they need to be different?  Is there a way for the attacker to see the Begin-Headers field?

> In that case it might also be ok to include some additional unprotected but carefully encoded information on the Begin-Headers line?

Yes, or on End-Headers:

GET /example HTTP/1.1
Begin-Headers: 3141592
Host: example.com
X-Evil-Header: "value\r\nContent-Length:0\r\n\r\nPOST /..."
Content-Length: 100
End-Headers: 3141592, lengths="11,1234,3"

Received on Wednesday, 22 October 2025 17:44:37 UTC