- From: David Benjamin <notifications@github.com>
- Date: Tue, 09 Mar 2021 08:24:14 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/1189/794117095@github.com>
Regarding the table: between [Alt-Svc](https://tools.ietf.org/html/rfc7838) and [SVCB/HTTPS](https://tools.ietf.org/html/draft-ietf-dnsop-svcb-https-02), the bad port list needs to be applied not just at URLs, but also at the endpoint we actually connect to. Otherwise any protocol-confusion attacks can just as easily apply after the redirect. I don't think either feature invalidates the numbers in the original report, since they're fairly rare and, for now, merely alternate routes one can safely ignore. (Though, with [ECH](https://tools.ietf.org/html/draft-ietf-tls-esni-09) in SVCB/HTTP, that will later no longer be the case.) But if the intent is to bound the use of arbitrary ports, which I agree seems prudent given all this mess, that's probably some feedback to the IETF that to stop building unbounded port redirection into everything. (@bemasc @ericorth FYI) The other wrinkle is Alt-Svc and SVCB/HTTP specify not just TCP ports but also UDP ports for QUIC (@DavidSchinazi FYI). Protocols that run on the two ports don't coincide as much, so we may want to treat them differently? (Fortunately, QUIC is a lot less malleable than cleartext HTTP. Unfortunately, it probably still is malleable enough under chosen plaintext scenarios like the web. Fortunately most random protocols are TCP anyway.) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1189#issuecomment-794117095
Received on Tuesday, 9 March 2021 16:24:27 UTC