Re: disallow HTTP 0.9 by default?
I agree with this as well, I haven't had to use 0.9 in over a decade. +1 On Thu, 22 Jul 2021 at 12:03, Roy T. Fielding wrote: > > On Jul 22, 2021, at 12:29 AM, Stefan Eissing < > stefan.eiss...@greenbytes.de> wrote: > >> Am 21.07.2021 um 22:04 schrieb Eric Covener : > >> > >> I was chasing an unrelated thread about close_notify alerts and > >> reminded me -- is it time to change the default for > >> HttpProtocolOptions from Allow0.9 to Require1.0? > >> > >> As the manual says, the requirement was dropped in RFC 7230. It seems > >> like the kind of potential gadget in future desynch/smuggling kind of > >> attacks that shouldn't be on by default today. > >> > >> Any opinions? > > > > +1 > > > > I think the internet is a different place now from when 2.4 came out. > > Yep, we have long past the point where the Internet depends on header > fields > like Host being present to avoid various attacks. +1 > > Roy > >
Re: disallow HTTP 0.9 by default?
> On Jul 22, 2021, at 12:29 AM, Stefan Eissing > wrote: >> Am 21.07.2021 um 22:04 schrieb Eric Covener : >> >> I was chasing an unrelated thread about close_notify alerts and >> reminded me -- is it time to change the default for >> HttpProtocolOptions from Allow0.9 to Require1.0? >> >> As the manual says, the requirement was dropped in RFC 7230. It seems >> like the kind of potential gadget in future desynch/smuggling kind of >> attacks that shouldn't be on by default today. >> >> Any opinions? > > +1 > > I think the internet is a different place now from when 2.4 came out. Yep, we have long past the point where the Internet depends on header fields like Host being present to avoid various attacks. +1 Roy
Re: disallow HTTP 0.9 by default?
I know for a fact that this will bring me some headaches at work with a few F5 "ping" checks, but still, to heck with it! +1 El jue, 22 jul 2021 a las 12:39, Daniel Gruno () escribió: > > On 22/07/2021 10.02, Ruediger Pluem wrote: > > > > > > On 7/21/21 10:04 PM, Eric Covener wrote: > >> I was chasing an unrelated thread about close_notify alerts and > >> reminded me -- is it time to change the default for > >> HttpProtocolOptions from Allow0.9 to Require1.0? > >> > >> As the manual says, the requirement was dropped in RFC 7230. It seems > >> like the kind of potential gadget in future desynch/smuggling kind of > >> attacks that shouldn't be on by default today. > > > > +1 for Require1.0 on 2.4. Typically I would not agree because it can break > > existing applications, but are there really setups out > > there that work with HTTP 0.9? I don't believe so. Hence my +1. > > In which case one can just manually switch back to Allow0.9, right? :) > > +1 for Require1.0 > > > > > Regards > > > > Rüdiger > > > -- Daniel Ferradal HTTPD Project #httpd help at Libera.Chat
Re: disallow HTTP 0.9 by default?
On 22/07/2021 10.02, Ruediger Pluem wrote: On 7/21/21 10:04 PM, Eric Covener wrote: I was chasing an unrelated thread about close_notify alerts and reminded me -- is it time to change the default for HttpProtocolOptions from Allow0.9 to Require1.0? As the manual says, the requirement was dropped in RFC 7230. It seems like the kind of potential gadget in future desynch/smuggling kind of attacks that shouldn't be on by default today. +1 for Require1.0 on 2.4. Typically I would not agree because it can break existing applications, but are there really setups out there that work with HTTP 0.9? I don't believe so. Hence my +1. In which case one can just manually switch back to Allow0.9, right? :) +1 for Require1.0 Regards Rüdiger
Re: disallow HTTP 0.9 by default?
On Wed, Jul 21, 2021 at 04:04:13PM -0400, Eric Covener wrote: > I was chasing an unrelated thread about close_notify alerts and > reminded me -- is it time to change the default for > HttpProtocolOptions from Allow0.9 to Require1.0? > > As the manual says, the requirement was dropped in RFC 7230. It seems > like the kind of potential gadget in future desynch/smuggling kind of > attacks that shouldn't be on by default today. > > Any opinions? +1 here too. Regards, Joe
Re: disallow HTTP 0.9 by default?
On Wed, Jul 21, 2021 at 10:04 PM Eric Covener wrote: > > I was chasing an unrelated thread about close_notify alerts and > reminded me -- is it time to change the default for > HttpProtocolOptions from Allow0.9 to Require1.0? > > As the manual says, the requirement was dropped in RFC 7230. It seems > like the kind of potential gadget in future desynch/smuggling kind of > attacks that shouldn't be on by default today. > > Any opinions? +1
Re: disallow HTTP 0.9 by default?
On 7/21/21 10:04 PM, Eric Covener wrote: > I was chasing an unrelated thread about close_notify alerts and > reminded me -- is it time to change the default for > HttpProtocolOptions from Allow0.9 to Require1.0? > > As the manual says, the requirement was dropped in RFC 7230. It seems > like the kind of potential gadget in future desynch/smuggling kind of > attacks that shouldn't be on by default today. > +1, httpd 0.9 is old enough and it's time to deprecate it. Giovanni OpenPGP_signature Description: OpenPGP digital signature
Re: disallow HTTP 0.9 by default?
On Thu, Jul 22, 2021 at 10:02 AM Ruediger Pluem wrote: > > On 7/21/21 10:04 PM, Eric Covener wrote: > > I was chasing an unrelated thread about close_notify alerts and > > reminded me -- is it time to change the default for > > HttpProtocolOptions from Allow0.9 to Require1.0? > > > > As the manual says, the requirement was dropped in RFC 7230. It seems > > like the kind of potential gadget in future desynch/smuggling kind of > > attacks that shouldn't be on by default today. > > +1 for Require1.0 on 2.4. Typically I would not agree because it can break > existing applications, but are there really setups out > there that work with HTTP 0.9? I don't believe so. Hence my +1. Same, +1. Cheers; Yann.
Re: disallow HTTP 0.9 by default?
On 7/21/21 10:04 PM, Eric Covener wrote: > I was chasing an unrelated thread about close_notify alerts and > reminded me -- is it time to change the default for > HttpProtocolOptions from Allow0.9 to Require1.0? > > As the manual says, the requirement was dropped in RFC 7230. It seems > like the kind of potential gadget in future desynch/smuggling kind of > attacks that shouldn't be on by default today. +1 for Require1.0 on 2.4. Typically I would not agree because it can break existing applications, but are there really setups out there that work with HTTP 0.9? I don't believe so. Hence my +1. Regards Rüdiger
Re: disallow HTTP 0.9 by default?
> Am 21.07.2021 um 22:04 schrieb Eric Covener : > > I was chasing an unrelated thread about close_notify alerts and > reminded me -- is it time to change the default for > HttpProtocolOptions from Allow0.9 to Require1.0? > > As the manual says, the requirement was dropped in RFC 7230. It seems > like the kind of potential gadget in future desynch/smuggling kind of > attacks that shouldn't be on by default today. > > Any opinions? +1 I think the internet is a different place now from when 2.4 came out. - Stefan
disallow HTTP 0.9 by default?
I was chasing an unrelated thread about close_notify alerts and reminded me -- is it time to change the default for HttpProtocolOptions from Allow0.9 to Require1.0? As the manual says, the requirement was dropped in RFC 7230. It seems like the kind of potential gadget in future desynch/smuggling kind of attacks that shouldn't be on by default today. Any opinions? -- Eric Covener cove...@gmail.com
