Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Friday October 04 2019, @11:04AM   Printer-friendly
from the if-it-works-leave-it-alone dept.

Submitted via IRC for Bytram

Header aches in Firefox, Tor, Brave and Chrome as HTTP opens new security holes

The HTTP Alternative Services header can be abused to conduct network reconnaissance and attacks, to bypass malware protection services, and to foil tracking defenses and privacy assumptions, according to a paper scheduled to be presented at the WOOT '19 security conference on Tuesday.

Back in March 2016, the Internet Engineering Steering Group approved the HTTP Alternative Services header as a proposed web standard for situations when a web server needs to send a client to another service.

There are a variety of legitimate reasons to do this: a web server may be overloaded with requests, may be undergoing maintenance, or may determine that another server is closer (and thus quicker to respond). As Mark Nottingham, co-chair the IETF HTTP and QUIC Working Groups, explained at the time, such redirection can be handled by DNS load balancing under short-lived HTTP/1.1 connections.

But DNS load balancing doesn't work as well with HTTP/2, which is designed to maintain a persistent connection.

HTTP Alternatives Services was designed as an alternative method to point requests elsewhere. It allows a web server to return a header that specifies another server as the host of its resources, in effect deputizing the stand-in to act as the Origin, the first-party source of content.

"The ability to redirect clients to use another server in a transparent, persistent fashion brings some obvious security concerns," said Nottingham in his post.

A paper titled "Alternative (ab)uses for HTTP Alternative Services," by boffins Trishita Tiwari, who co-authored the paper while at Boston University and is currently a cyber-security PhD student at Cornell University, and Ari Trachtenberg, professor of electrical and computer engineering at Boston University, makes these obvious security concerns more evident.

[...]

Tiwari said that the security implications mentioned in Nottingham's 2016 blog post were incorporated into the Alt-Svc spec.

"The spec does attempt to address these issues, but the mitigations proposed there (i.e., clearing the Alt-Svc cache when the user clears their browser cache) are not strong enough," she said.

"Browser vendors understand this and are now proposing much stronger mitigations like cache isolation (which should, in my opinion, be included in the spec so that it is not at the mercy of individual browser vendors to implement it – user tracking has become a rising issue, and it is high time that these RFCs start requiring cache isolation upfront)."

"The rest of the attacks we show in the paper stem from how the Alt-Svc spec was improperly implemented, so, in a sense, the remaining attacks weren't fundamental design flaws, but rather flaws in the way browser vendors implemented the design," she said.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Funny) by c0lo on Friday October 04 2019, @12:04PM (3 children)

    by c0lo (156) Subscriber Badge on Friday October 04 2019, @12:04PM (#902578) Journal

    302 [wikipedia.org] is superseded by 303 [wikipedia.org] and 307 [httpstatuses.com]. Therefore we need a 4th way to perform a redirect, one that's neither superseded nor a superseder.
    You know?... a brand new fresh start; this time, better believe us, we know what we're doing... (errr... ooops)

    --
    https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
    Starting Score:    1  point
    Moderation   +2  
       Funny=2, Total=2
    Extra 'Funny' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 0) by Anonymous Coward on Friday October 04 2019, @12:09PM (1 child)

    by Anonymous Coward on Friday October 04 2019, @12:09PM (#902579)

    The 4th way must be a fresh brew, I suggest 418 [mozilla.org]

    • (Score: 0) by Anonymous Coward on Friday October 04 2019, @01:25PM

      by Anonymous Coward on Friday October 04 2019, @01:25PM (#902595)

      Meh, I think that will wait for the reboot.

  • (Score: 0) by Anonymous Coward on Friday October 04 2019, @07:13PM

    by Anonymous Coward on Friday October 04 2019, @07:13PM (#902745)

    Status codes vs. headers. Many elements of HTTP can be specified both ways (and sometimes by tags as well). While I do think that it's reasonable to implement redirects with a status code, certain application designs might find it easier to return headers. It's for the convenience of developers, basically.