Last Call Review of draft-ietf-httpbis-header-compression-10
review-ietf-httpbis-header-compression-10-secdir-lc-lepinski-2015-01-22-00

Request Review of draft-ietf-httpbis-header-compression
Requested rev. no specific revision (document currently at 12)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2015-01-20
Requested 2015-01-02
Draft last updated 2015-01-22
Completed reviews Genart Last Call review of -10 by David Black (diff)
Secdir Last Call review of -10 by Matt Lepinski (diff)
Opsdir Last Call review of -10 by David Black (diff)
Assignment Reviewer Matt Lepinski
State Completed
Review review-ietf-httpbis-header-compression-10-secdir-lc-lepinski-2015-01-22
Reviewed rev. 10 (document currently at 12)
Review result Has Nits
Review completed: 2015-01-22

Review
review-ietf-httpbis-header-compression-10-secdir-lc-lepinski-2015-01-22

I have reviewed this document as part of the security directorate’s ongoing effort to review all IETF documents being processed by the IESG.  These comments were written with the intent of improving security requirements and considerations in IETF drafts.  Comments not addressed in last call may be included in AD reviews during the IESG review.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document specifies HPACK, the compression scheme used by HTTP/2. A new compression scheme was needed for HTTP/2 because of attacks against systems where traditional compression schemes were used to compress HTTP headers sent over an encrypted TLS connection. (e.g., the CRIME attack against SPDY.) HPACK is specifically designed to avoid CRIME and similar attacks.

I believe that this document is mature and nearly ready for publication. However, I have one concern and would request a change to the document (see below).

After reviewing this document and looking at the PETAL paper it references, I am satisfied that -- as the authors claim -- the HPACK scheme [when used to compress HTTP headers] is secure relative to our (the security community) current understanding of attacks against encryption of compressed data. That is, I believe that the authors have adequately addressed -- in the design of HPACK and the associated Security Considerations section -- all known security issues. 

That being said, since HPACK is a relatively new algorithm, and since encryption of compressed headers is known to be somewhat perilous, it is possible that a clever attacker will develop a new attack in the future (i.e., CRIME++ ) that works against HPACK-compressed header fields. I haven't read the latest version of HTTP/2 carefully enough to know whether HTTP/2 has a mechanism for an implementation to turn off use of HPACK if such an attack is discovered. However, planning for a possible future attack against HPACK would probably be wise.

==========================

REQUEST FOR CHANGE TO: draft-ietf-httpbis-header-compression

The Security Considerations in this document are extremely well-written (particularly Sections 7.1.1 and 7.1.2). Based on experience with the CRIME attack, there are significant security concerns (described in Section 7.1) with encrypting compressed headers. Section 7.1.1 explains how these concerns relate to HPACK and Section 7.1.2 describes steps that an HPACK encoder implementation can take to mitigate these concerns. These sections are very important -- indeed, more important than the security considerations sections for many IETF documents.

I would very much like to see a forward reference to Section 7.1.2 (or perhaps just Section 7.1 as whole) at some point earlier in the document  when the authors are describing the encoder (probably somewhere in Section 2). That is, there are important mitigation techniques that an implementer should have in mind when creating an HPACK encoder. I believe that referencing these techniques when the encoding process is described would be a good idea. 

==========================