Re: [Acme] AD Review: draft-ietf-acme-tls-alpn-05
Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 26 December 2018 14:56 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC10E130DF1 for <acme@ietfa.amsl.com>; Wed, 26 Dec 2018 06:56:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n1w3Vff5x56h for <acme@ietfa.amsl.com>; Wed, 26 Dec 2018 06:56:30 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91467130DEE for <acme@ietf.org>; Wed, 26 Dec 2018 06:56:30 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 7A6A41601C; Wed, 26 Dec 2018 16:56:28 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id exgjZ9lkKNlz; Wed, 26 Dec 2018 16:56:28 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id B41EB7A; Wed, 26 Dec 2018 16:56:25 +0200 (EET)
Date: Wed, 26 Dec 2018 16:56:25 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: IETF ACME <acme@ietf.org>
Message-ID: <20181226145625.GB6893@LK-Perkele-VII>
References: <CABcZeBPCM1qc+z0FM4iB-DeGGuKg-V4CCxUWzs+RTuYhXJrJvw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBPCM1qc+z0FM4iB-DeGGuKg-V4CCxUWzs+RTuYhXJrJvw@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/gfj8QkWF9FRQkd8GUwHBsb81ChY>
Subject: Re: [Acme] AD Review: draft-ietf-acme-tls-alpn-05
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Dec 2018 14:56:33 -0000
On Mon, Dec 24, 2018 at 12:47:30PM -0800, Eric Rescorla wrote:
>
> S 4.
> > properly segregates control of those names to the users that own
> > them. This means that if User A registers Host A and User B
> > registers Host B the server should not allow a TLS request using a
> > SNI value for Host A to be served by User B or Host B to be served by
> > User A. If the server allows User B to serve this request it allows
> > them to illegitimately validate control of Host A to the ACME server.
>
> Isn't this the property you say doesn't hold in S 6 below. As I
> understand it, the rationale for this design is that people who opt in
> to acme-tls/1 won't do this, no?
No. This is a different property than one mentioned in S6. This is due
to different SNI used.
The property wanted here is basically coherence of HTTP and TLS
forwarding: Both are always forwarded to the same user for the same
name. If such coherence exists, the ALPN acts as just muxing
function (allow validating without bringing the host down).
Such coherence is not enough for TLS-SNI, as the SNI sent is junk,
so nobody has seen it before. The service provoder would have to
block the TLS-SNI names in order to not be vulernable.
If there is no such coherence, then if acme-tls/1 is forwarded, then
the attacker can misvalidate if the legit user has not already enabled
HTTPS. However, this is not sufficient to deter attacks if HTTPS is
not enabled yet: Merely forwarding the HTTPS pkix validation path is
enough to misvalidate (some CAs can use it to validate, as it is
consistent with BRs). With publically trusted certificate, attacker
can then abuse HSTS (HTTP Strict Transport Security) to hijack traffic
without having to mess with DNS or BGP.
My interpretation of BR method 10 is that it requires the authorization
domain name to be present in certficate ("a certificate on the
authorization domain name"). TLS-SNI fails this requirement, as the
certificate most definitely is not on the authorization domain name. I
do not think any reasonable implementation of method 10 is vulernable
to the attack that fell TLS-SNI (as reasonable implementation would set
SNI to the authorization domain name, which makes attacks much more
difficult). Nevertheless, CABForum is considering scrapping method 10
and replacing it with something like TLS-ALPN.
And with regards of servers blindly selecting ALPN, I really do not
think any server does this, as it would cause a lot of connect
failures (any modern browser would fail if HTTP/2 is not also enabled).
-Ilari
- [Acme] AD Review: draft-ietf-acme-tls-alpn-05 Eric Rescorla
- Re: [Acme] AD Review: draft-ietf-acme-tls-alpn-05 Ilari Liusvaara
- Re: [Acme] AD Review: draft-ietf-acme-tls-alpn-05 Eric Rescorla
- Re: [Acme] AD Review: draft-ietf-acme-tls-alpn-05 Ilari Liusvaara