Future of AJP might be OK?

[Richard Frovarp]

On 8/25/22 11:39, Cantor, Scott wrote:
> On 8/25/22, 12:31 PM, "users on behalf of Richard Frovarp via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:
>
>> Proxying via AJP only works on trusted
>>     networks, and likely only on the same host from a security point of
>>     view. There is no security in the protocol, and there have been various
>>     attacks against it over time.
> The same is true of http...that's one of the big reasons it's such a bad idea, it's a trivial protocol to spoof since every machine in the world has a client.
>
> If all one cared about was passive attacks, the security of AJP would be the same except that the data would be visible, and half the time people proxy HTTP in the clear anyway.


You are correct. I usually forget that plain HTTP is still a thing. The 
one thing is that AJP has a "secret" parameter that is anything but 
secret as it is passed in the plain over the wire. So it gives the 
illusion of being more secure than plain HTTP.

There have been buffer overflow attacks that have worked against the 
various AJP components, with I think mod_jk being a frequent target. And 
my concern would come from dev cycles to fix such an attack against 
HTTPS components (which everyone uses) vs AJP (which is very niche).

Richard