Re: disallow HTTP 0.9 by default?

2021-07-22 Thread Frank Gingras
I agree with this as well, I haven't had to use 0.9 in over a decade.

+1

On Thu, 22 Jul 2021 at 12:03, Roy T. Fielding  wrote:

> > On Jul 22, 2021, at 12:29 AM, Stefan Eissing <
> stefan.eiss...@greenbytes.de> wrote:
> >> Am 21.07.2021 um 22:04 schrieb Eric Covener :
> >>
> >> I was chasing an unrelated thread about close_notify alerts and
> >> reminded me -- is it time to change the default for
> >> HttpProtocolOptions from Allow0.9 to Require1.0?
> >>
> >> As the manual says, the requirement was dropped in RFC 7230. It seems
> >> like the kind of potential gadget in future desynch/smuggling kind of
> >> attacks that shouldn't be on by default today.
> >>
> >> Any opinions?
> >
> > +1
> >
> > I think the internet is a different place now from when 2.4 came out.
>
> Yep, we have long past the point where the Internet depends on header
> fields
> like Host being present to avoid various attacks. +1
>
> Roy
>
>


Re: disallow HTTP 0.9 by default?

2021-07-22 Thread Roy T. Fielding
> On Jul 22, 2021, at 12:29 AM, Stefan Eissing  
> wrote:
>> Am 21.07.2021 um 22:04 schrieb Eric Covener :
>> 
>> I was chasing an unrelated thread about close_notify alerts and
>> reminded me -- is it time to change the default for
>> HttpProtocolOptions from Allow0.9 to Require1.0?
>> 
>> As the manual says, the requirement was dropped in RFC 7230. It seems
>> like the kind of potential gadget in future desynch/smuggling kind of
>> attacks that shouldn't be on by default today.
>> 
>> Any opinions?
> 
> +1
> 
> I think the internet is a different place now from when 2.4 came out.

Yep, we have long past the point where the Internet depends on header fields
like Host being present to avoid various attacks. +1

Roy



Re: disallow HTTP 0.9 by default?

2021-07-22 Thread Daniel Ferradal
I know for a fact that this will bring me some headaches at work with
a few F5 "ping" checks, but still, to heck with it!

+1

El jue, 22 jul 2021 a las 12:39, Daniel Gruno () escribió:
>
> On 22/07/2021 10.02, Ruediger Pluem wrote:
> >
> >
> > On 7/21/21 10:04 PM, Eric Covener wrote:
> >> I was chasing an unrelated thread about close_notify alerts and
> >> reminded me -- is it time to change the default for
> >> HttpProtocolOptions from Allow0.9 to Require1.0?
> >>
> >> As the manual says, the requirement was dropped in RFC 7230. It seems
> >> like the kind of potential gadget in future desynch/smuggling kind of
> >> attacks that shouldn't be on by default today.
> >
> > +1 for Require1.0 on 2.4. Typically I would not agree because it can break 
> > existing applications, but are there really setups out
> > there that work with HTTP 0.9? I don't believe so. Hence my +1.
>
> In which case one can just manually switch back to Allow0.9, right? :)
>
> +1 for Require1.0
>
> >
> > Regards
> >
> > Rüdiger
> >
>


-- 
Daniel Ferradal
HTTPD Project
#httpd help at Libera.Chat


Re: disallow HTTP 0.9 by default?

2021-07-22 Thread Daniel Gruno

On 22/07/2021 10.02, Ruediger Pluem wrote:



On 7/21/21 10:04 PM, Eric Covener wrote:

I was chasing an unrelated thread about close_notify alerts and
reminded me -- is it time to change the default for
HttpProtocolOptions from Allow0.9 to Require1.0?

As the manual says, the requirement was dropped in RFC 7230. It seems
like the kind of potential gadget in future desynch/smuggling kind of
attacks that shouldn't be on by default today.


+1 for Require1.0 on 2.4. Typically I would not agree because it can break 
existing applications, but are there really setups out
there that work with HTTP 0.9? I don't believe so. Hence my +1.


In which case one can just manually switch back to Allow0.9, right? :)

+1 for Require1.0



Regards

Rüdiger





Re: disallow HTTP 0.9 by default?

2021-07-22 Thread Joe Orton
On Wed, Jul 21, 2021 at 04:04:13PM -0400, Eric Covener wrote:
> I was chasing an unrelated thread about close_notify alerts and
> reminded me -- is it time to change the default for
> HttpProtocolOptions from Allow0.9 to Require1.0?
> 
> As the manual says, the requirement was dropped in RFC 7230. It seems
> like the kind of potential gadget in future desynch/smuggling kind of
> attacks that shouldn't be on by default today.
> 
> Any opinions?

+1 here too.

Regards, Joe



Re: disallow HTTP 0.9 by default?

2021-07-22 Thread Luca Toscano
On Wed, Jul 21, 2021 at 10:04 PM Eric Covener  wrote:
>
> I was chasing an unrelated thread about close_notify alerts and
> reminded me -- is it time to change the default for
> HttpProtocolOptions from Allow0.9 to Require1.0?
>
> As the manual says, the requirement was dropped in RFC 7230. It seems
> like the kind of potential gadget in future desynch/smuggling kind of
> attacks that shouldn't be on by default today.
>
> Any opinions?

+1


Re: disallow HTTP 0.9 by default?

2021-07-22 Thread Giovanni Bechis
On 7/21/21 10:04 PM, Eric Covener wrote:
> I was chasing an unrelated thread about close_notify alerts and
> reminded me -- is it time to change the default for
> HttpProtocolOptions from Allow0.9 to Require1.0?
> 
> As the manual says, the requirement was dropped in RFC 7230. It seems
> like the kind of potential gadget in future desynch/smuggling kind of
> attacks that shouldn't be on by default today.
> 
+1, httpd 0.9 is old enough and it's time to deprecate it.

 Giovanni




OpenPGP_signature
Description: OpenPGP digital signature


Re: disallow HTTP 0.9 by default?

2021-07-22 Thread Yann Ylavic
On Thu, Jul 22, 2021 at 10:02 AM Ruediger Pluem  wrote:
>
> On 7/21/21 10:04 PM, Eric Covener wrote:
> > I was chasing an unrelated thread about close_notify alerts and
> > reminded me -- is it time to change the default for
> > HttpProtocolOptions from Allow0.9 to Require1.0?
> >
> > As the manual says, the requirement was dropped in RFC 7230. It seems
> > like the kind of potential gadget in future desynch/smuggling kind of
> > attacks that shouldn't be on by default today.
>
> +1 for Require1.0 on 2.4. Typically I would not agree because it can break 
> existing applications, but are there really setups out
> there that work with HTTP 0.9? I don't believe so. Hence my +1.

Same, +1.

Cheers;
Yann.


Re: disallow HTTP 0.9 by default?

2021-07-22 Thread Ruediger Pluem



On 7/21/21 10:04 PM, Eric Covener wrote:
> I was chasing an unrelated thread about close_notify alerts and
> reminded me -- is it time to change the default for
> HttpProtocolOptions from Allow0.9 to Require1.0?
> 
> As the manual says, the requirement was dropped in RFC 7230. It seems
> like the kind of potential gadget in future desynch/smuggling kind of
> attacks that shouldn't be on by default today.

+1 for Require1.0 on 2.4. Typically I would not agree because it can break 
existing applications, but are there really setups out
there that work with HTTP 0.9? I don't believe so. Hence my +1.

Regards

Rüdiger



Re: disallow HTTP 0.9 by default?

2021-07-22 Thread Stefan Eissing



> Am 21.07.2021 um 22:04 schrieb Eric Covener :
> 
> I was chasing an unrelated thread about close_notify alerts and
> reminded me -- is it time to change the default for
> HttpProtocolOptions from Allow0.9 to Require1.0?
> 
> As the manual says, the requirement was dropped in RFC 7230. It seems
> like the kind of potential gadget in future desynch/smuggling kind of
> attacks that shouldn't be on by default today.
> 
> Any opinions?

+1

I think the internet is a different place now from when 2.4 came out.

- Stefan