Contact emails
vas...@chromium.org, r...@chromium.org
Spec
https://tools.ietf.org/html/draft-ietf-httpbis-replay-02
The draft is currently in the Working Group Last Call.
Summary
HTTP 425 is an error code that allows the server to indicate that it’s unwilling to process a given request since it was sent over 0-RTT using TLS 1.3 or QUIC. Upon receiving it, browser has to wait until a full TLS session is established and then retry the request.
Motivation
In TLS 1.3 and QUIC, a request can be sent over 0-RTT; this allows to avoid latency penalty of establishing a full connection, but allows network attackers to replay the request. In order to avoid that, there are multiple safeguards, one of which is allowing the server to reject a request and ask the client to resend it once the server has a cryptographically strong proof that the request is not being replayed. The proposed error code provides such a mechanism.
Risks
Interoperability and Compatibility
The interoperability risk is fairly low. The draft is in last call and is mandatory for all implementations that use 0-RTT over TLS 1.3; same will be the case for QUIC once it becomes an IETF standard. The error code is not processed outside of that context.
The main risk is that the error code could change between now and IANA allocation. This is unlikely since it appears to be unused (outside of an obscure WebDAV extension which is dubiously real), and Firefox has already shipped it.
Edge: Public support -- http://lists.w3.org/Archives/Public/ietf-http-wg/2017JulSep/0347.html
Firefox: Shipped -- https://bugzilla.mozilla.org/show_bug.cgi?id=1406908
Safari: No signals
Web developers: Nothing from actual developers of web applications; not directly related to the status code, but other parts of the draft seems to be supported by HTTP server developers (shipped by HAProxy and h2o, more support on the mailing list)
Ergonomics
This feature will use the same retry mechanisms as many other HTTP-internal retries do, so there should be no possible concerns with respect to how the retry is actually done.
Activation
The feature is only required when 0-RTT is used. For TLS 1.3, Chrome will not use 0-RTT until this feature is shipped. For pre-IETF QUIC, existing deployments already rely on the GET/POST distinction for replay protection, hence this is mostly useful for newer deployments.
Debuggability
The requests retried upon the 425 code will be visible in net-internals logs.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
Is this feature fully tested by web-platform-tests?
No. It will be tested by network stack tests.
Link to entry on the feature dashboard
https://www.chromestatus.com/feature/5866220553240576
Requesting approval to ship?
Yes.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/9faddacf-8ada-4551-8458-aed1bf800635%40chromium.org.--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/9faddacf-8ada-4551-8458-aed1bf800635%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABc02_KshQzuDPNsUiEK5QA8Wchq4yG%2BGR9DCY7eQ2bkJuFxyQ%40mail.gmail.com.
Is this feature fully tested by web-platform-tests?
No. It will be tested by network stack tests.
I kinda wish we started expanding WPT to cover network stack features as well. I'm guessing that right now WPT's infrastructure and WPTServe do not enable you such testing. Could you figure out what's missing and open issues on WPT?
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CADnb78iVik5_xmw16nwv3nza5OXFu%3DiXeFCmZbD4FEf53cX3zQ%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOqqYVH%2B%2BWTuyMhGTeP3xwf-5_n3DfY-KGw-9eGfQZ2A2yqSsg%40mail.gmail.com.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY-_%2BJD9JRhzPj2wJd1zckSiDJzKq4j%3DjPfUMBkyvoU6Cg%40mail.gmail.com.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.