On Fri, Sep 11, 2020 at 09:56:21AM +0200, Tim Düsterhus wrote:
> Willy,
>
> Am 11.09.20 um 09:42 schrieb Willy Tarreau:
> > On Fri, Sep 11, 2020 at 09:02:57AM +0200, Tim Düsterhus wrote:
> >> According to the article performing a h2c upgrade via TLS is not valid
> >> according to the spec.
Willy,
Am 11.09.20 um 09:42 schrieb Willy Tarreau:
> On Fri, Sep 11, 2020 at 09:02:57AM +0200, Tim Düsterhus wrote:
>> According to the article performing a h2c upgrade via TLS is not valid
>> according to the spec. HAProxy implements the H2 spec.
>
> "according to the article" :-) There's no
On Fri, Sep 11, 2020 at 09:02:57AM +0200, Tim Düsterhus wrote:
> According to the article performing a h2c upgrade via TLS is not valid
> according to the spec. HAProxy implements the H2 spec.
"according to the article" :-) There's no such mention in the spec
itself from what I remember, it's
On Fri, Sep 11, 2020 at 02:52:30AM -0400, John Lauro wrote:
> I could be wrong, but I think he is stating that if you have that
> allowed, it can be used to get a direct connection to the backend
> bypassing any routing or acls you have in the load balancer, so if you
> some endpoints are blocked,
Hi Ionel,
On Fri, Sep 11, 2020 at 08:35:58AM +0200, Ionel GARDAIS wrote:
> Hi Willy,
>
> Being devil's advocate : isn't the point that even if this is a documented,
> standardized and intended behavior, users relying on the reverse proxy for
> security/sanity checks could by tricked by this
Willy,
Am 11.09.20 um 08:07 schrieb Willy Tarreau:
> On Fri, Sep 11, 2020 at 01:55:10PM +1000, Igor Cicimov wrote:
>> Should we be worried?
>>
>> https://portswigger.net/daily-swig/http-request-smuggling-http-2-opens-a-new-attack-tunnel
>
> But this stuff is total non-sense. Basically the guy is
I could be wrong, but I think he is stating that if you have that
allowed, it can be used to get a direct connection to the backend
bypassing any routing or acls you have in the load balancer, so if you
some endpoints are blocked, or internal only, they could potentially
be accessed this way.
For
- Mail original -
De: "Willy Tarreau"
À: "Igor Cicimov"
Cc: "haproxy"
Envoyé: Vendredi 11 Septembre 2020 08:19:12
Objet: [*EXT*] Re: http2 smuggling
On Fri, Sep 11, 2020 at 08:07:02AM +0200, Willy Tarreau wrote:
> Sadly, as usual after people discover
On Fri, Sep 11, 2020 at 08:07:02AM +0200, Willy Tarreau wrote:
> Sadly, as usual after people discover protocols during the summer, some
> journalists will surely want to make noise about this to put some bread
> on their table...
>
> Thanks for the link anyway I had a partial laugh; partial only
Hi Igor,
On Fri, Sep 11, 2020 at 01:55:10PM +1000, Igor Cicimov wrote:
> Should we be worried?
>
> https://portswigger.net/daily-swig/http-request-smuggling-http-2-opens-a-new-attack-tunnel
But this stuff is total non-sense. Basically the guy is complaining
that the products he tested work
Should we be worried?
https://portswigger.net/daily-swig/http-request-smuggling-http-2-opens-a-new-attack-tunnel
IC
11 matches
Mail list logo
