New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using alt-svc on localhost #89

Closed
martinthomson opened this Issue Jul 21, 2015 · 8 comments

Comments

Projects
None yet
4 participants
@martinthomson
Contributor

martinthomson commented Jul 21, 2015

You can identify an alternative on a different port on localhost trivially and it might be considered authoritative. You probably don't want to accept localhost as a valid alternative for an http://example.com origin.

@martinthomson

This comment has been minimized.

Show comment
Hide comment
@martinthomson

martinthomson Jul 21, 2015

Contributor

See also #73

Contributor

martinthomson commented Jul 21, 2015

See also #73

@martinthomson

This comment has been minimized.

Show comment
Hide comment
@martinthomson

martinthomson Jul 21, 2015

Contributor

1918 space is similarly problematic.

Contributor

martinthomson commented Jul 21, 2015

1918 space is similarly problematic.

@mnot

This comment has been minimized.

Show comment
Hide comment
@mnot

mnot Jul 21, 2015

Member

Discussed in Prague; add security considerations / non-normative text that this is another form of privilege escalation, and should be taken into account. (both localhost and special use networks / rfc1918). Need to discuss with webappsec as well as security folks in ietf.

Member

mnot commented Jul 21, 2015

Discussed in Prague; add security considerations / non-normative text that this is another form of privilege escalation, and should be taken into account. (both localhost and special use networks / rfc1918). Need to discuss with webappsec as well as security folks in ietf.

@enygren

This comment has been minimized.

Show comment
Hide comment
@enygren

enygren Jul 21, 2015

Contributor

Treating rfc1918 as special opens up a can of worms, especially as there is no clear mapping there in the IPv6 world and as other related spaces (rfc6598). We may just generally want to ensure AltSvc can't be used to probe/attack internal hosts behind a firewall regardless of what IP space is present. Due to the async behavior of Alt-Svc and the reliance on cert validation, we may be OK here as long as we don't treat rfc1918 space special (eg, as long as we don't relax cert validation requirements there).

Contributor

enygren commented Jul 21, 2015

Treating rfc1918 as special opens up a can of worms, especially as there is no clear mapping there in the IPv6 world and as other related spaces (rfc6598). We may just generally want to ensure AltSvc can't be used to probe/attack internal hosts behind a firewall regardless of what IP space is present. Due to the async behavior of Alt-Svc and the reliance on cert validation, we may be OK here as long as we don't treat rfc1918 space special (eg, as long as we don't relax cert validation requirements there).

@martinthomson

This comment has been minimized.

Show comment
Hide comment
@martinthomson

martinthomson Jul 21, 2015

Contributor

The prohibition on host changes for cleartext http:// should cover this.

Contributor

martinthomson commented Jul 21, 2015

The prohibition on host changes for cleartext http:// should cover this.

@sgillies sgillies referenced this issue Jul 21, 2015

Merged

fixing typo #85

@mcmanus

This comment has been minimized.

Show comment
Hide comment
@mcmanus

mcmanus Jul 21, 2015

Contributor

due to the prohibition on host changes and the async nature of alt-svc, the only issue I can see here is that example.com can probe for things behind the firewall that have the example.com cert :) but maybe I'm missing the concern?

Contributor

mcmanus commented Jul 21, 2015

due to the prohibition on host changes and the async nature of alt-svc, the only issue I can see here is that example.com can probe for things behind the firewall that have the example.com cert :) but maybe I'm missing the concern?

@mnot

This comment has been minimized.

Show comment
Hide comment
@mnot

mnot Nov 2, 2015

Member

Discussed in Yokohama; we think we can close this with no action.

Member

mnot commented Nov 2, 2015

Discussed in Yokohama; we think we can close this with no action.

@mnot

This comment has been minimized.

Show comment
Hide comment
@mnot

mnot Nov 9, 2015

Member

@reschke please add to the changes section.

Member

mnot commented Nov 9, 2015

@reschke please add to the changes section.

@mnot mnot closed this Nov 9, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment