Re: [Acme] AD Review: draft-ietf-acme-tls-alpn-05
Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 26 December 2018 14:56 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC10E130DF1 for <acme@ietfa.amsl.com>; Wed, 26 Dec 2018 06:56:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n1w3Vff5x56h for <acme@ietfa.amsl.com>; Wed, 26 Dec 2018 06:56:30 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91467130DEE for <acme@ietf.org>; Wed, 26 Dec 2018 06:56:30 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 7A6A41601C; Wed, 26 Dec 2018 16:56:28 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id exgjZ9lkKNlz; Wed, 26 Dec 2018 16:56:28 +0200 (EET)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id B41EB7A; Wed, 26 Dec 2018 16:56:25 +0200 (EET)
Date: Wed, 26 Dec 2018 16:56:25 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: IETF ACME <acme@ietf.org>
Message-ID: <20181226145625.GB6893@LK-Perkele-VII>
References: <CABcZeBPCM1qc+z0FM4iB-DeGGuKg-V4CCxUWzs+RTuYhXJrJvw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBPCM1qc+z0FM4iB-DeGGuKg-V4CCxUWzs+RTuYhXJrJvw@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/acme/gfj8QkWF9FRQkd8GUwHBsb81ChY>
Subject: Re: [Acme] AD Review: draft-ietf-acme-tls-alpn-05
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Dec 2018 14:56:33 -0000
On Mon, Dec 24, 2018 at 12:47:30PM -0800, Eric Rescorla wrote: > > S 4. > > properly segregates control of those names to the users that own > > them. This means that if User A registers Host A and User B > > registers Host B the server should not allow a TLS request using a > > SNI value for Host A to be served by User B or Host B to be served by > > User A. If the server allows User B to serve this request it allows > > them to illegitimately validate control of Host A to the ACME server. > > Isn't this the property you say doesn't hold in S 6 below. As I > understand it, the rationale for this design is that people who opt in > to acme-tls/1 won't do this, no? No. This is a different property than one mentioned in S6. This is due to different SNI used. The property wanted here is basically coherence of HTTP and TLS forwarding: Both are always forwarded to the same user for the same name. If such coherence exists, the ALPN acts as just muxing function (allow validating without bringing the host down). Such coherence is not enough for TLS-SNI, as the SNI sent is junk, so nobody has seen it before. The service provoder would have to block the TLS-SNI names in order to not be vulernable. If there is no such coherence, then if acme-tls/1 is forwarded, then the attacker can misvalidate if the legit user has not already enabled HTTPS. However, this is not sufficient to deter attacks if HTTPS is not enabled yet: Merely forwarding the HTTPS pkix validation path is enough to misvalidate (some CAs can use it to validate, as it is consistent with BRs). With publically trusted certificate, attacker can then abuse HSTS (HTTP Strict Transport Security) to hijack traffic without having to mess with DNS or BGP. My interpretation of BR method 10 is that it requires the authorization domain name to be present in certficate ("a certificate on the authorization domain name"). TLS-SNI fails this requirement, as the certificate most definitely is not on the authorization domain name. I do not think any reasonable implementation of method 10 is vulernable to the attack that fell TLS-SNI (as reasonable implementation would set SNI to the authorization domain name, which makes attacks much more difficult). Nevertheless, CABForum is considering scrapping method 10 and replacing it with something like TLS-ALPN. And with regards of servers blindly selecting ALPN, I really do not think any server does this, as it would cause a lot of connect failures (any modern browser would fail if HTTP/2 is not also enabled). -Ilari
- [Acme] AD Review: draft-ietf-acme-tls-alpn-05 Eric Rescorla
- Re: [Acme] AD Review: draft-ietf-acme-tls-alpn-05 Ilari Liusvaara
- Re: [Acme] AD Review: draft-ietf-acme-tls-alpn-05 Eric Rescorla
- Re: [Acme] AD Review: draft-ietf-acme-tls-alpn-05 Ilari Liusvaara