undefined | Better HN

0 pointsalbinowax_6y ago0 comments

Hi, I'm the author of the article.

Regarding point 5, the front-end doesn't need to support pipelining at all, and the back-end doesn't require it either in most cases. Regarding chunk support, yeah you could patch this by disabling chunked requests on both systems, but if only one system disables it that pretty much just makes the situation worse.

I think your first point could be misread. If you have a front-end and a back-end, and they talk to eachother using HTTPS, that's exploitable. What's not exploitable is when you don't have a frontend at all, or your frontend isn't doing any kind of request parsing (ie it's a network load balancer).

0 comments

lhuser1236y ago

> What's not exploitable is when you don't have a frontend at all, or your frontend isn't doing any kind of request parsing

I think that’s exactly what he was trying to say in the first point. Anyway thanks for stressing that, it helped me understand better what is happening.

cryptonector6y ago

Disabling chunking is often not an option.

EDIT: Basically, chunked transfer encoding is not an option for any front-end systems (reverse proxies / load balancers of any kind). Also note that because there exist apps that associate authentication state with connections (though they're not supposed to), one should generally avoid mixing traffic from different users onto one connection.

j / k navigate · click thread line to collapse