Mailing List Archive: disallow HTTP 0.9 by default?

disallow HTTP 0.9 by default?

Jul 21, 2021, 1:04 PM

Post #1 of 11 (664 views)

I was chasing an unrelated thread about close_notify alerts and
reminded me -- is it time to change the default for
HttpProtocolOptions from Allow0.9 to Require1.0?

As the manual says, the requirement was dropped in RFC 7230. It seems
like the kind of potential gadget in future desynch/smuggling kind of
attacks that shouldn't be on by default today.

Any opinions?

--
Eric Covener
covener@gmail.com

Re: disallow HTTP 0.9 by default? [ In reply to ]

stefan.eissing at greenbytes

Jul 22, 2021, 12:29 AM

Post #2 of 11 (663 views)

Permalink

> Am 21.07.2021 um 22:04 schrieb Eric Covener <covener@gmail.com>:
>
> I was chasing an unrelated thread about close_notify alerts and
> reminded me -- is it time to change the default for
> HttpProtocolOptions from Allow0.9 to Require1.0?
>
> As the manual says, the requirement was dropped in RFC 7230. It seems
> like the kind of potential gadget in future desynch/smuggling kind of
> attacks that shouldn't be on by default today.
>
> Any opinions?

+1

I think the internet is a different place now from when 2.4 came out.

- Stefan

Re: disallow HTTP 0.9 by default? [ In reply to ]

rpluem at apache

Jul 22, 2021, 1:02 AM

Post #3 of 11 (663 views)

Permalink

On 7/21/21 10:04 PM, Eric Covener wrote:
> I was chasing an unrelated thread about close_notify alerts and
> reminded me -- is it time to change the default for
> HttpProtocolOptions from Allow0.9 to Require1.0?
>
> As the manual says, the requirement was dropped in RFC 7230. It seems
> like the kind of potential gadget in future desynch/smuggling kind of
> attacks that shouldn't be on by default today.

+1 for Require1.0 on 2.4. Typically I would not agree because it can break existing applications, but are there really setups out
there that work with HTTP 0.9? I don't believe so. Hence my +1.

Regards

Rüdiger

Re: disallow HTTP 0.9 by default? [ In reply to ]

ylavic.dev at gmail

Jul 22, 2021, 1:24 AM

Post #4 of 11 (663 views)

Permalink

On Thu, Jul 22, 2021 at 10:02 AM Ruediger Pluem <rpluem@apache.org> wrote:
>
> On 7/21/21 10:04 PM, Eric Covener wrote:
> > I was chasing an unrelated thread about close_notify alerts and
> > reminded me -- is it time to change the default for
> > HttpProtocolOptions from Allow0.9 to Require1.0?
> >
> > As the manual says, the requirement was dropped in RFC 7230. It seems
> > like the kind of potential gadget in future desynch/smuggling kind of
> > attacks that shouldn't be on by default today.
>
> +1 for Require1.0 on 2.4. Typically I would not agree because it can break existing applications, but are there really setups out
> there that work with HTTP 0.9? I don't believe so. Hence my +1.

Same, +1.

Cheers;
Yann.

Re: disallow HTTP 0.9 by default? [ In reply to ]

giovanni at paclan

Jul 22, 2021, 1:43 AM

Post #5 of 11 (663 views)

Permalink

On 7/21/21 10:04 PM, Eric Covener wrote:
> I was chasing an unrelated thread about close_notify alerts and
> reminded me -- is it time to change the default for
> HttpProtocolOptions from Allow0.9 to Require1.0?
>
> As the manual says, the requirement was dropped in RFC 7230. It seems
> like the kind of potential gadget in future desynch/smuggling kind of
> attacks that shouldn't be on by default today.
>
+1, httpd 0.9 is old enough and it's time to deprecate it.

Giovanni

Re: disallow HTTP 0.9 by default? [ In reply to ]

toscano.luca at gmail

Jul 22, 2021, 2:34 AM

Post #6 of 11 (663 views)

Permalink

On Wed, Jul 21, 2021 at 10:04 PM Eric Covener <covener@gmail.com> wrote:
>
> I was chasing an unrelated thread about close_notify alerts and
> reminded me -- is it time to change the default for
> HttpProtocolOptions from Allow0.9 to Require1.0?
>
> As the manual says, the requirement was dropped in RFC 7230. It seems
> like the kind of potential gadget in future desynch/smuggling kind of
> attacks that shouldn't be on by default today.
>
> Any opinions?

+1

Re: disallow HTTP 0.9 by default? [ In reply to ]

jorton at redhat

Jul 22, 2021, 3:37 AM

Post #7 of 11 (663 views)

Permalink

On Wed, Jul 21, 2021 at 04:04:13PM -0400, Eric Covener wrote:
> I was chasing an unrelated thread about close_notify alerts and
> reminded me -- is it time to change the default for
> HttpProtocolOptions from Allow0.9 to Require1.0?
>
> As the manual says, the requirement was dropped in RFC 7230. It seems
> like the kind of potential gadget in future desynch/smuggling kind of
> attacks that shouldn't be on by default today.
>
> Any opinions?

+1 here too.

Regards, Joe

Re: disallow HTTP 0.9 by default? [ In reply to ]

humbedooh at apache

Jul 22, 2021, 3:38 AM

Post #8 of 11 (663 views)

Permalink

On 22/07/2021 10.02, Ruediger Pluem wrote:
>
>
> On 7/21/21 10:04 PM, Eric Covener wrote:
>> I was chasing an unrelated thread about close_notify alerts and
>> reminded me -- is it time to change the default for
>> HttpProtocolOptions from Allow0.9 to Require1.0?
>>
>> As the manual says, the requirement was dropped in RFC 7230. It seems
>> like the kind of potential gadget in future desynch/smuggling kind of
>> attacks that shouldn't be on by default today.
>
> +1 for Require1.0 on 2.4. Typically I would not agree because it can break existing applications, but are there really setups out
> there that work with HTTP 0.9? I don't believe so. Hence my +1.

In which case one can just manually switch back to Allow0.9, right? :)

+1 for Require1.0

>
> Regards
>
> Rüdiger
>

Re: disallow HTTP 0.9 by default? [ In reply to ]

dferradal at apache

Jul 22, 2021, 3:49 AM

Post #9 of 11 (663 views)

Permalink

I know for a fact that this will bring me some headaches at work with
a few F5 "ping" checks, but still, to heck with it!

+1

El jue, 22 jul 2021 a las 12:39, Daniel Gruno (<humbedooh@apache.org>) escribió:
>
> On 22/07/2021 10.02, Ruediger Pluem wrote:
> >
> >
> > On 7/21/21 10:04 PM, Eric Covener wrote:
> >> I was chasing an unrelated thread about close_notify alerts and
> >> reminded me -- is it time to change the default for
> >> HttpProtocolOptions from Allow0.9 to Require1.0?
> >>
> >> As the manual says, the requirement was dropped in RFC 7230. It seems
> >> like the kind of potential gadget in future desynch/smuggling kind of
> >> attacks that shouldn't be on by default today.
> >
> > +1 for Require1.0 on 2.4. Typically I would not agree because it can break existing applications, but are there really setups out
> > there that work with HTTP 0.9? I don't believe so. Hence my +1.
>
> In which case one can just manually switch back to Allow0.9, right? :)
>
> +1 for Require1.0
>
> >
> > Regards
> >
> > Rüdiger
> >
>

--
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat

Re: disallow HTTP 0.9 by default? [ In reply to ]

fielding at gbiv

Jul 22, 2021, 9:03 AM

Post #10 of 11 (663 views)

Permalink

> On Jul 22, 2021, at 12:29 AM, Stefan Eissing <stefan.eissing@greenbytes.de> wrote:
>> Am 21.07.2021 um 22:04 schrieb Eric Covener <covener@gmail.com>:
>>
>> I was chasing an unrelated thread about close_notify alerts and
>> reminded me -- is it time to change the default for
>> HttpProtocolOptions from Allow0.9 to Require1.0?
>>
>> As the manual says, the requirement was dropped in RFC 7230. It seems
>> like the kind of potential gadget in future desynch/smuggling kind of
>> attacks that shouldn't be on by default today.
>>
>> Any opinions?
>
> +1
>
> I think the internet is a different place now from when 2.4 came out.

Yep, we have long past the point where the Internet depends on header fields
like Host being present to avoid various attacks. +1

....Roy

Re: disallow HTTP 0.9 by default? [ In reply to ]

thumbs at apache

Jul 22, 2021, 12:51 PM

Post #11 of 11 (662 views)

Permalink

I agree with this as well, I haven't had to use 0.9 in over a decade.

+1

On Thu, 22 Jul 2021 at 12:03, Roy T. Fielding <fielding@gbiv.com> wrote:

> > On Jul 22, 2021, at 12:29 AM, Stefan Eissing <
> stefan.eissing@greenbytes.de> wrote:
> >> Am 21.07.2021 um 22:04 schrieb Eric Covener <covener@gmail.com>:
> >>
> >> I was chasing an unrelated thread about close_notify alerts and
> >> reminded me -- is it time to change the default for
> >> HttpProtocolOptions from Allow0.9 to Require1.0?
> >>
> >> As the manual says, the requirement was dropped in RFC 7230. It seems
> >> like the kind of potential gadget in future desynch/smuggling kind of
> >> attacks that shouldn't be on by default today.
> >>
> >> Any opinions?
> >
> > +1
> >
> > I think the internet is a different place now from when 2.4 came out.
>
> Yep, we have long past the point where the Internet depends on header
> fields
> like Host being present to avoid various attacks. +1
>
> ....Roy
>
>

Mailing List Archive

Mailing List Archive

Attached Files: