[Secdir last call review] Add note to security considerations
Closed this issue · 3 comments
Comment by @timfromdigicert
This is rather unimportant, but I just wanted to mention it in case the authors
find it useful. Feel free to ignore.
The document states that there are no new security considerations, but that's
perhaps not quite true. I think it might be useful to call out that an
implementation cannot rely on its peer behaving correctly, so implementers will
have to take into account they may still receive oversized frames from
misbehaving clients. This is arguably no different from the situation today, so
it can be argued that the current considerations are accurate.
I just thought it might be useful to call it out so some engineer doesn't
remove validation checks since the other side is supposed to behave now. Just
because we have standards, doesn't mean that everyone complies.
RFC8878 says in its security considerations:
It is highly recommended to fuzz-test (i.e., provide invalid, unexpected, or random input and verify safe operation of) decoder implementations to test and harden their capability to detect bad frames and deal with them without any adverse system side effect.
An attacker may provide correctly formed compressed frames with unreasonable memory requirements. A decoder must always control memory requirements and enforce some (system-specific) limits in order to protect memory usage from such scenarios.
Perhaps we could add something like:
"Decoders still need to take into account that they can receive oversized frames that do not follow the window size limit specified in this document and fail decoding when such invalid frames are received."
@felixhandte Thoughts?
We could do something explicit like that, yeah. But I'm partial to just broadening the existing statement a little:
This document doesn't change any of the security considerations discussed in [RFC8878].
This seems sufficient to me because this issue is called out explicitly in para 4 there (https://www.rfc-editor.org/rfc/rfc8878#section-8-4).
What do you think, @nidhijaju, @timfromdigicert?
Don't have strong opinions, but I think maybe adding a sentence explicitly about the window size limit is good, given the document is specifically about enforcing the window size limit. This will ensure nobody misses it even if they don't click through the reference to RFC8878.