fre 2014-07-25 klockan 19:05 +0300 skrev Eliezer Croitoru:

> The response to alex question why would anybody want to drop 
> "cteonnt-length:" header:
> Some places do not allow cookies or POST for external services and it's 
> sometimes can looks weird but I still understand why would it be 
> considered a security hole by some minds.

Dropping mangled connection-length header is not about security. It's no
more than a garbage header carrying no meaning other than an distant
echo of it's original form. It is transformed in this manner to avoid
being read as connection-length while doing a minimal lightweight
rewrite of the TCP/IP payload.

Bandwidth saving from dropping this header will be close to
unmeasurable.

Security impact likewise.

But sure, if you have a whitelist policy of only allowing what is
explicitly allowed then it would be dropped by the catch-all DROP
policy. But no hardwiring in our code is needed for that.

The discussion about mangled Connection header may be more interesting,
but only if there is bugs in the software that mangled the Connection 
header leaving what was intended as hop-by-hop headers unmangled. But I
don't see much of a point of worrying about that until there is
indication that there is problems caused by such headers.

>From the referenced discussion it's quite clear this rewrite practice is
limited to one cache appliance vendor. It is not likely to be
implemented by others.

Regards
Henrik

Reply via email to