Discuss "open proxy" concerns

[chris-wood]

A colluding client and target can currently use proxies to send anything. This might be worth noting in the security considerations.

[Lekensteyn]

This must definitely be expanded on. Right now one of the public ODoH proxy servers permits a query such as

curl -sid '' -Acontent-type:application/oblivious-dns-message 'https://proxyhost/proxy?targethost=example.org&targetpath=/'

Suggestions:

• Require the proxy to check that the request uses the POST method with Content-Type application/oblivious-dns-message.
• Require the proxy to check that the response has Content-Type application/oblivious-dns-message.
• Clarify whether the targethost can contain a port number (e.g. example.com:4443)
• Require the proxy to validate the target host (forbidding localhost:1337/bad) and target path (forbidding query parameters such as /echo?content-type=application/oblivious-dns-message).
• Specify error codes for the proxy in case the target is unreachable. (502 Bad Gateway?) Ideally an application-level error could be emitted to differentiate between deployment errors and actual errors recognized by the proxy service.

The above header checks might be too late. To reduce the likelihood of abuse, the proxy could perform checks for new hosts. Assuming that the ODoH target is public, the proxy could check for the odohconfig HTTPS/SVCB parameter and refuse service if not found.

[chris-wood]

@skepticfx, can you please have a look here?

[chris-wood]

Following up on the proposals above:

1. Agreed, this should be expanded upon in Section 4.1.
2. Agreed, assuming the status code is 2xx. I don't think the content type is relevant if the status code isn't 2xx, since the client won't process the body anyway.
3. Agreed. I think it's fine to permit a port number. It's a proxy policy question as to whether certain port numbers should be allowed. (We can add that to the security considerations.)
4. I think this is covered (albeit somewhat implicitly) in Section 4.1. It can probably be improved.
5. Great suggestion! I'm fine with 502 in that case.

I also like the recommendation that the proxy check for the HTTPS odohconfig parameter in all permitted targets (whether or not there is an allow list of targets).

I'll put together a PR to address these.

[skepticfx]

A colluding client and target could always allow abuse of proxies. Can the proxy deny requests to a target if it deems the target is not a valid oDoH server? In that case, what would be an appropriate error code?

Agree with the recommendations above about validating the HTTP request path and query parameters to always conform with what is allowed in the oDoH protocol. This prevents the general open proxy abuse. ( The target need not be colluding here, just the client is malicious here).

However am not sure how the odohconfig helps against the abuse of a colluding client and target.