IETF Logo Mail Archive

Re: [Acme] ACME breaking change: Most GETs become POSTs

Jacob Hoffman-Andrews <jsha@eff.org> Fri, 31 August 2018 20:15 UTC

Return-Path: <jsha@eff.org>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A7B01286E3 for <acme@ietfa.amsl.com>; Fri, 31 Aug 2018 13:15:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.011
X-Spam-Level:
X-Spam-Status: No, score=-7.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=eff.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CfFHdDQvXSKL for <acme@ietfa.amsl.com>; Fri, 31 Aug 2018 13:14:59 -0700 (PDT)
Received: from mail2.eff.org (mail2.eff.org [173.239.79.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2B06124C04 for <acme@ietf.org>; Fri, 31 Aug 2018 13:14:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=eff.org; s=mail2; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:MIME-Version: Date:Message-ID:References:Cc:To:From:Subject:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ZVdcZfu1/iCTnYc/YCEeqbzk5ruxZ5yIlbnQ7KnqhLc=; b=SVaIEOX2OCe/vwmIc0eqopiHhe HpAO5WCw+QH7dTAVhRO1CfhmfNgCkM6AX2c/I/7VTVhtWxXG5nIHAl7/YW6mBZ97PX+xX/VcVECDf 1YKwarMVHE+UEZGAon7RuTBa25Ot3Z/GFnoVW6QFxo6RW7GTdIo+QyGmPKcLwsssO4LM=;
Received: ; Fri, 31 Aug 2018 13:14:58 -0700
From: Jacob Hoffman-Andrews <jsha@eff.org>
To: Richard Barnes <rlb@ipv.sx>, "Salz, Rich" <rsalz@akamai.com>
Cc: IETF ACME <acme@ietf.org>, Felipe Gasper <felipe@felipegasper.com>
References: <c33184f3-4e64-b7ea-babb-d29e2307f1f3@eff.org> <2a889461-da9e-d3bd-e5a8-688eda61c614@eff.org> <51509028-1939-4851-8BB5-41F94FA146A1@felipegasper.com> <CAL02cgTLEMAMZQicNvXzQrRnGeemrUojmGe_8r=e_YZCNazdsQ@mail.gmail.com> <D171FC21-64FA-4438-AF45-520B5AFEEBF7@akamai.com> <CAL02cgQXx0fBUuxa8ivwTk09J5h8tWiNP8b+8taY8wPJxLypeA@mail.gmail.com> <4404d740-504c-bba7-d30d-dff385bd1216@eff.org>
Message-ID: <02333187-cb4e-7e4c-b035-1fd311b437f0@eff.org>
Date: Fri, 31 Aug 2018 13:14:58 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <4404d740-504c-bba7-d30d-dff385bd1216@eff.org>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/JWrpF-mCcxwG3BOQPEhBw8SMiGo>
Subject: Re: [Acme] ACME breaking change: Most GETs become POSTs
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Aug 2018 20:15:01 -0000

On 08/31/2018 12:30 PM, Jacob Hoffman-Andrews wrote:
> /account/100/certificate/3438
> /account/201/certificate/3439
> /account/100/certificate/3440*

Here's an issue that came up during code review: When you POST-as-GET to 
a resource you don't own, should you get Not Found or Unauthorized? The 
quick answer is Not Found. If we return Unauthorized, that still allows 
potentially enumerating the existence of certificates URLs, which 
depending on URL schemes might reveal the grouping of certificates by 
account id.

However, if we choose Not Found, that implies we're trying to hide the 
existence of certain resources, which means checking for those resources 
has to be timing-safe, a very high bar. We wind up hiding one foot-gun 
(URL enumeration) under another foot-gun (timing attacks).

Alternately, we could consider URL enumeration out of scope, and say 
"POST-as-GET is only intended to protect the contents of resources, not 
their existence or relationship to each other."

That winds up leaving us pretty close to being back at draft-14: Since 
POST-as-GET protects resource bodies, and the currently-specified 
resources are already broken down into sensitive (account) and not 
(orders, authorizations, challenges, certificates), we could just as 
well leave the non-sensitive resources as regular GETs. We might make a 
change to define POST-as-GET as a broader mechanism, to be used by 
default by future extensions that define new resource types.

Alternately, we might say that even though orders, authorizations, 
challenges, and certificates are all non-sensitive, we should require 
POST-as-GET across the board for all ACME requests, because it will 
simplify security analysis.

What do you all think? Should enumeration of the existence of URLs be 
considered in-scope?

v2.23.0 | Report a Bug | By Email