Future of AJP might be OK?
richard.frovarp at ndsu.edu
Thu Aug 25 17:45:48 UTC 2022
On 8/25/22 11:39, Cantor, Scott wrote:
> On 8/25/22, 12:31 PM, "users on behalf of Richard Frovarp via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:
>> Proxying via AJP only works on trusted
>> networks, and likely only on the same host from a security point of
>> view. There is no security in the protocol, and there have been various
>> attacks against it over time.
> The same is true of http...that's one of the big reasons it's such a bad idea, it's a trivial protocol to spoof since every machine in the world has a client.
> If all one cared about was passive attacks, the security of AJP would be the same except that the data would be visible, and half the time people proxy HTTP in the clear anyway.
You are correct. I usually forget that plain HTTP is still a thing. The
one thing is that AJP has a "secret" parameter that is anything but
secret as it is passed in the plain over the wire. So it gives the
illusion of being more secure than plain HTTP.
There have been buffer overflow attacks that have worked against the
various AJP components, with I think mod_jk being a frequent target. And
my concern would come from dev cycles to fix such an attack against
HTTPS components (which everyone uses) vs AJP (which is very niche).
More information about the users