On 2024-08-19 12:56, Salz, Rich wrote:
> and that is part of the problem. what can protocol authors do to ensure
their protocols are not vulnerable to such attacks? and what can
implementers do about protocols that were never designed with such
attacks in mind? we don't currently have these answers.
In the cryptography community, each use of a key comes with context parameter,
often mixed into the digest or such, that prevents signed data from being
mis-used. In the QUIC protocol, lookup backoff and amplification. Similarly
for DNS.
If your protocol is TCP-based it is easier to find and block attackers because
you know the return address is invalid. If it's UDP-based it's harder because
attackers can fake the return address to be that of their victim.
what does any of this have to do with text-based protocols (IRC, HTTP,
SMTP, etc)?
the only RFC that appears to acknowledge vulnerabilities with text-based
protocols is RFC 9112, in its security considerations:
https://www.rfc-editor.org/rfc/rfc9112#name-security-considerations
even then, it only takes response splitting and request smuggling into
account. it does not even consider the existence of inter-protocol
exploitation like used in attacks against IRC networks.
--
plural system (tend to say 'we'), it/she/they, it instead of you
--
Witarea mailing list -- [email protected]
To unsubscribe send an email to [email protected]
