←back to thread

CRLF is obsolete and should be abolished

(fossil-scm.org)
422 points km | 3 comments | 13 Oct 24 19:16 UTC | HN request time: 0s | source
Show context
michaelmior ◴[13 Oct 24 20:03 UTC] No.41831072[source]
> various protocols (HTTP, SMTP, CSV) still "require" CRLF at the end of each line

What would be the benefit to updating legacy protocols to just use NL? You save a handful of bits at the expense of a lot of potential bugs. HTTP/1(.1) is mostly replaced by HTTP/2 and later by now anyway.

Sure, it makes sense not to require CRLF with any new protocols, but it doesn't seem worth updating legacy things.

> Even if an established protocol (HTTP, SMTP, CSV, FTP) technically requires CRLF as a line ending, do not comply.

I'm hoping this is satire. Why intentionally introduce potential bugs for the sake of making a point?

replies(13): >>41831206 #>>41831210 #>>41831225 #>>41831256 #>>41831322 #>>41831364 #>>41831391 #>>41831706 #>>41832337 #>>41832719 #>>41832751 #>>41834474 #>>41835444 #
FiloSottile ◴[13 Oct 24 20:39 UTC] No.41831391[source]
Exactly. Please DO NOT mess with protocols, especially legacy critical protocols based on in-band signaling.

HTTP/1.1 was regrettably but irreversibly designed with security-critical parser alignment requirements. If two implementations disagree on whether `A:B\nC:D` contains a value for C, you can build a request smuggling gadget, leading to significant attacks. We live in a post-Postel world, only ever generate and accept CRLF in protocols that specify it, however legacy and nonsensical it might be.

(I am a massive, massive SQLite fan, but this is giving me pause about using other software by the same author, at least when networks are involved.)

replies(7): >>41831450 #>>41831498 #>>41831871 #>>41832546 #>>41832632 #>>41832661 #>>41839309 #
tptacek ◴[13 Oct 24 20:47 UTC] No.41831450[source]
This would be more persuasive if HTTP servers didn't already widely accept bare 0ah line termination. What's the first major public web site you can find that doesn't?
replies(5): >>41831506 #>>41831717 #>>41832137 #>>41832555 #>>41832731 #
hifromwork ◴[13 Oct 24 22:09 UTC] No.41832137[source]
As the parent mentioned, it's security critical that every HTTP parser in the world - including every middleware, proxy, firewall, WAF - parses the headers in the same way. If you write a HTTP parser for a server application it's imperative you don't introduce random inconsistences with the standard (I can't believe I have to write this).

On the other hand, as a client, it's OK to send malformed requests, as long as you're prepared that they may fail. But it's a weird flex, legacy protocols have many warts, why die on this particular hill.

replies(2): >>41832201 #>>41835964 #
tptacek ◴[13 Oct 24 22:20 UTC] No.41832201{3}[source]
That appears to be an argument in favor of accepting bare-0ah, since as a positive statement that is the situation on the Internet today.
replies(3): >>41832905 #>>41833940 #>>41834573 #
theamk ◴[14 Oct 24 00:12 UTC] No.41832905{4}[source]
Wouldn't the safest thing, security-wise, to fail fast on bare 0ah?

As a web server, you may not know which intermediate proxies did the request traverse before arriving to your port. Given that request smuggling is a thing, failing fast with no further parsing on any protocol deviations seems to be the most secure thing.

replies(1): >>41832974 #
1. tptacek ◴[14 Oct 24 00:24 UTC] No.41832974{5}[source]
I mean the safest thing would be to send an RST as soon as you see a SYN for 80/tcp.
replies(2): >>41833159 #>>41833686 #
2. RedShift1 ◴[14 Oct 24 00:59 UTC] No.41833159[source]
Wouldn't not replying at all be the safest?
3. theamk ◴[14 Oct 24 02:31 UTC] No.41833686[source]
That would have a severe downside of not letting your customers access your website.

Fast-abort on bare-0ah will still be compatible with all browsers and major http clients, thus providing extra mitigations practically for free.