<div dir="auto"><div dir="auto">Thanks Amos,</div><div dir="auto"><br></div><div dir="auto">I know what squid and other web servers do already so it's weird for me to hear http/x should die.</div><div dir="auto">I won't say if it works don't touch it but even the most basic http service I tried to write 5 years ago didn't had such flaws.</div><div dir="auto"><br></div><div dir="auto">Also, many lb and forward proxy are resistant to the attacks this post mentioned.</div><div dir="auto">I am unsure on what services he used it against.</div><div dir="auto"><br></div><div dir="auto">For now I still believe that squid stable is very advanced in it's level of perfection compared to other pieces of code out there.</div><div dir="auto"><br></div><div dir="auto">There are other questions like:</div><div dir="auto">Can any ai write anything in either golang/python/rust which can compete with squid?</div><div dir="auto"><br></div><div dir="auto">What others think?</div><div dir="auto"><br></div><div dir="auto">And I must say i gave some ai's the chance to write an icap helper logic for youtube.... I still couldn't make it create something like what I wrote 10 years ago.</div><div dir="auto">And, I am looking for some caching challenges :)</div><div dir="auto"><br></div><div dir="auto">Eliezer</div><div data-smartmail="gmail_signature" dir="auto"><div dir="ltr"><div dir="rtl" style="color:rgb(34,34,34)"><br></div><div dir="rtl" style="color:rgb(34,34,34)"><br></div></div></div><br><div class="gmail_quote gmail_quote_container" dir="auto"><div dir="ltr" class="gmail_attr">בתאריך יום א׳, 31 באוג׳ 2025, 20:16, מאת Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>>:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 31/08/25 07:49, NgTech LTD wrote:<br>
> Hey,<br>
> <br>
> I have seen this research:<br>
> <br>
> <a href="https://portswigger.net/research/http1-must-die" rel="noreferrer noreferrer" target="_blank">https://portswigger.net/research/http1-must-die</a> <https:// <br>
> <a href="http://portswigger.net/research/http1-must-die" rel="noreferrer noreferrer" target="_blank">portswigger.net/research/http1-must-die</a>><br>
> <br>
<br>
I'm not sure I would call that research exactly. It is pretty much an <br>
enumeration of theoretical flaws in HTTP/1 which **might** occur <br>
assuming one of the HTTP agents is designed badly.<br>
<br>
I notice that proper implementation of HTTP security requirements closes <br>
off a number of issues listed there.<br>
<br>
For example; all mentioned issues with "obs-fold" (obsolete HTTP/1.0 <br>
whitespace folding) in Content-Length headers are not a problem when one <br>
obeys the RFC7230 / RFC9112 requirement to either; replace obs-fold with <br>
a single SP **before** processing the headers, OR to respond with a <br>
connection error (404 status response and TCP RST) whenever it is <br>
received on HTTP/1.1 messages.<br>
<br>
<br>
> And was wondering how squid is handling such cases.<br>
> <br>
<br>
AFAICS, Squid has been around and been updated with workarounds and <br>
fixes for all of these cases (and many more pre-RFC9112 issues) as they <br>
were discovered.<br>
<br>
Today Squid has a rather strict parsing of input, with our "lenient" <br>
mode only tolerating the broken inputs when they are able to be fixed <br>
without causing more issues and essentially no behavior change.<br>
<br>
<br>
Not sure I would go as far as the "must die" argument quite yet. The <br>
HTTP/1 syntax still has a place as Human-readable display for any HTTP <br>
version. But yes, that time to stop sending it in communications is fast <br>
approaching. HTTP/2 had its 10 year birthday earlier this year!<br>
<br>
<br>
HTH<br>
Amos<br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank" rel="noreferrer">squid-users@lists.squid-cache.org</a><br>
<a href="https://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer noreferrer" target="_blank">https://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div></div>