IETF Logo Mail Archive

Re: [Acme] ACME breaking change: Most GETs become POSTs

Richard Barnes <rlb@ipv.sx> Fri, 31 August 2018 20:58 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE06B130E0E for <acme@ietfa.amsl.com>; Fri, 31 Aug 2018 13:58:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3vQTPpyMRmC8 for <acme@ietfa.amsl.com>; Fri, 31 Aug 2018 13:58:48 -0700 (PDT)
Received: from mail-oi0-x236.google.com (mail-oi0-x236.google.com [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A467127B92 for <acme@ietf.org>; Fri, 31 Aug 2018 13:58:48 -0700 (PDT)
Received: by mail-oi0-x236.google.com with SMTP id c190-v6so24038711oig.6 for <acme@ietf.org>; Fri, 31 Aug 2018 13:58:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YjoPpKoV5NEoZyo19CXVO1TpxnnR/DpHP+Nzlpv+5+U=; b=cDEbGFufrUYeGqtn9NlLq8W6QSlxAnsBnNRtqlRA28gkWSrqgWczqQ7441EkMugMgc SaPnJNQ/Uy/9ngBVq6AHaDTslzbkpgIJIv9HS7fXcHvXl1JA6n5yCE0zZ7o7TVcbLL3M 8Ds8J5CfkXI6o+fJAbXeEBzKHtDvxKeVZclv8vR9n/Esr+34dwDIff/8yzbmzuOjZ+NH GiyL3cryrzggUprD97WytuV+nNT7ZHrf4sDt+2AfJiz/HvdwylPz2T+1+pcLI6S+Z6Zh dWVFi7ffIdL8/6l4Q6El2wO8HMse56/pKGK9DdD8jV8vhrgZy+b3OeO1rbMklI82D5jn 56UQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YjoPpKoV5NEoZyo19CXVO1TpxnnR/DpHP+Nzlpv+5+U=; b=mGE1JnDa6vMiOJ8d3SyPBaop8rsYKemQlI56TR0W3R89+gPPzBGSnj33Fx2bz6/KDa 0SNhqEJUXDH+9tjUpOpyVNHMz3gBjb9KQ0WIGCOU4WRqA2J0PYtUpJpXITh+MaY4EHif XMXgKoXsFTCC0N7zVuox8n2GAggDatlmN3f1cOtIkiGlGxKCu650yGlzrL2ciWZKOaDQ asUVetkaK3nHcKV9fQWnKdtjtLpyPpv07DwOsIEn4J52/Egrn4c6w5FbeIcyRPEW711E +BLoOoiWbn5zGb6q6wVhlj3yJHYstg3RGEOY7zB5TEmUBaVmhE23VW/k2XIw26KDBgQ+ xlgg==
X-Gm-Message-State: APzg51DI5TXIxpwRXLKXOWQZkesoCivTdih4Rhwpc0IQvzxHlnlYAbl/ c1DRH8GLJanuuw3z8+AfHR/JiF9jzzndzltcsN1VFg==
X-Google-Smtp-Source: ANB0VdY5BeAGBKF1mC5JWBiGaAH9ZEFlktq1d3C5Dr1r1FJFkFSnAMefohS7l/GFj1LouLV0XjF58egJHdANSek4NbM=
X-Received: by 2002:aca:6b87:: with SMTP id g129-v6mr8591147oic.88.1535749127834; Fri, 31 Aug 2018 13:58:47 -0700 (PDT)
MIME-Version: 1.0
References: <c33184f3-4e64-b7ea-babb-d29e2307f1f3@eff.org> <2a889461-da9e-d3bd-e5a8-688eda61c614@eff.org> <51509028-1939-4851-8BB5-41F94FA146A1@felipegasper.com> <CAL02cgTLEMAMZQicNvXzQrRnGeemrUojmGe_8r=e_YZCNazdsQ@mail.gmail.com> <D171FC21-64FA-4438-AF45-520B5AFEEBF7@akamai.com> <CAL02cgQXx0fBUuxa8ivwTk09J5h8tWiNP8b+8taY8wPJxLypeA@mail.gmail.com> <4404d740-504c-bba7-d30d-dff385bd1216@eff.org> <02333187-cb4e-7e4c-b035-1fd311b437f0@eff.org>
In-Reply-To: <02333187-cb4e-7e4c-b035-1fd311b437f0@eff.org>
From: Richard Barnes <rlb@ipv.sx>
Date: Fri, 31 Aug 2018 16:58:36 -0400
Message-ID: <CAL02cgS-Hp9zwJ5i-bUEWq6sO0qvhTyY8k0uOUCeABwheW=C9A@mail.gmail.com>
To: Jacob Hoffman-Andrews <jsha@eff.org>
Cc: "Salz, Rich" <rsalz@akamai.com>, IETF ACME <acme@ietf.org>, Felipe Gasper <felipe@felipegasper.com>
Content-Type: multipart/alternative; boundary="0000000000003aa2040574c175f7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/PQhCtGJWBtRaDS1KGNjZp4gKgLY>
Subject: Re: [Acme] ACME breaking change: Most GETs become POSTs
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Aug 2018 20:58:51 -0000

On Fri, Aug 31, 2018 at 4:15 PM Jacob Hoffman-Andrews <jsha@eff.org> wrote:

> On 08/31/2018 12:30 PM, Jacob Hoffman-Andrews wrote:
> > /account/100/certificate/3438
> > /account/201/certificate/3439
> > /account/100/certificate/3440*
>
> Here's an issue that came up during code review: When you POST-as-GET to
> a resource you don't own, should you get Not Found or Unauthorized? The
> quick answer is Not Found. If we return Unauthorized, that still allows
> potentially enumerating the existence of certificates URLs, which
> depending on URL schemes might reveal the grouping of certificates by
> account id.
>
> However, if we choose Not Found, that implies we're trying to hide the
> existence of certain resources, which means checking for those resources
> has to be timing-safe, a very high bar. We wind up hiding one foot-gun
> (URL enumeration) under another foot-gun (timing attacks).
>
> Alternately, we could consider URL enumeration out of scope, and say
> "POST-as-GET is only intended to protect the contents of resources, not
> their existence or relationship to each other."
>
> That winds up leaving us pretty close to being back at draft-14: Since
> POST-as-GET protects resource bodies, and the currently-specified
> resources are already broken down into sensitive (account) and not
> (orders, authorizations, challenges, certificates), we could just as
> well leave the non-sensitive resources as regular GETs. We might make a
> change to define POST-as-GET as a broader mechanism, to be used by
> default by future extensions that define new resource types.
>
> Alternately, we might say that even though orders, authorizations,
> challenges, and certificates are all non-sensitive, we should require
> POST-as-GET across the board for all ACME requests, because it will
> simplify security analysis.
>
> What do you all think? Should enumeration of the existence of URLs be
> considered in-scope?
>

The correct answer here is Unauthorized.  The resource exists, and it's the
job of the authentication / authorization system to prevent unauthorized
parties from accessing it.

I disagree with your assessment that this puts us back at draft-14.  It
just moves us to the edge of the demarc: The guidance from the HTTP folks
says we're not allowed to specify URL plans for server operators, in order
to give them deployment flexibility.  The flip-side of that is that it is
up to operators to use a safe URL plan.  So we're doing our part in the
protocol; operators need to do their part.

I can add some guidance to the security considerations.

--Richard

On Fri, Aug 31, 2018 at 4:15 PM Jacob Hoffman-Andrews <jsha@eff.org> wrote:

> On 08/31/2018 12:30 PM, Jacob Hoffman-Andrews wrote:
> > /account/100/certificate/3438
> > /account/201/certificate/3439
> > /account/100/certificate/3440*
>
> Here's an issue that came up during code review: When you POST-as-GET to
> a resource you don't own, should you get Not Found or Unauthorized? The
> quick answer is Not Found. If we return Unauthorized, that still allows
> potentially enumerating the existence of certificates URLs, which
> depending on URL schemes might reveal the grouping of certificates by
> account id.
>
> However, if we choose Not Found, that implies we're trying to hide the
> existence of certain resources, which means checking for those resources
> has to be timing-safe, a very high bar. We wind up hiding one foot-gun
> (URL enumeration) under another foot-gun (timing attacks).
>
> Alternately, we could consider URL enumeration out of scope, and say
> "POST-as-GET is only intended to protect the contents of resources, not
> their existence or relationship to each other."
>
> That winds up leaving us pretty close to being back at draft-14: Since
> POST-as-GET protects resource bodies, and the currently-specified
> resources are already broken down into sensitive (account) and not
> (orders, authorizations, challenges, certificates), we could just as
> well leave the non-sensitive resources as regular GETs. We might make a
> change to define POST-as-GET as a broader mechanism, to be used by
> default by future extensions that define new resource types.
>
> Alternately, we might say that even though orders, authorizations,
> challenges, and certificates are all non-sensitive, we should require
> POST-as-GET across the board for all ACME requests, because it will
> simplify security analysis.
>
> What do you all think? Should enumeration of the existence of URLs be
> considered in-scope?
>

v2.23.0 | Report a Bug | By Email