Re: [certid] user agent redirection is inherently "insecure" (was: Re: review of draft-saintandre-tls-server-id-check-09)
=JeffH <Jeff.Hodges@KingsMountain.com> Sat, 25 September 2010 00:22 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 073813A6B89 for <certid@core3.amsl.com>;
Fri, 24 Sep 2010 17:22:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.127
X-Spam-Level:
X-Spam-Status: No, score=-102.127 tagged_above=-999 required=5 tests=[AWL=0.138,
BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gj+nRT7p9ceD for
<certid@core3.amsl.com>; Fri, 24 Sep 2010 17:22:05 -0700 (PDT)
Received: from cpoproxy2-pub.bluehost.com (cpoproxy2-pub.bluehost.com
[67.222.39.38]) by core3.amsl.com (Postfix) with SMTP id C19B43A6B6A for
<certid@ietf.org>; Fri, 24 Sep 2010 17:22:05 -0700 (PDT)
Received: (qmail 6905 invoked by uid 0); 25 Sep 2010 00:22:38 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by
cpoproxy2.bluehost.com with SMTP; 25 Sep 2010 00:22:38 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com;
h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User;
b=KgZ+xziV4kDY5NU98JwGSzwPUm+AY1ymuSc8oSuFeHNrPKSAogju0f2ZhBqyIfm8TwFk3qSh4l22d1f/hChUWDkNzt6MAI1n/TbDbmNiwqHAz8Kww2l9YR92Gxq9yOXV;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.48.179]) by
box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69)
(envelope-from <Jeff.Hodges@KingsMountain.com>) id 1OzIXG-0003Oc-9S;
Fri, 24 Sep 2010 18:22:38 -0600
Message-ID: <4C9D40CF.6050107@KingsMountain.com>
Date: Fri, 24 Sep 2010 17:22:39 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: IETF cert-based identity <certid@ietf.org>, Martin Rex <mrex@sap.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com}
{sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [certid] user agent redirection is inherently "insecure" (was:
Re: review of draft-saintandre-tls-server-id-check-09)
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Sep 2010 00:22:07 -0000
I sense topic-drift and a rat-hole here. I'm gonna try to put a concise box over the hole.. Martin replied: > > Matt replied: > >> Martin wrote: >> > The only intention that can be reliably deduced from a user supplying > an hostname as a target address, is that a user wants to "enter" > exactly _that_ site. > > ... > >> > The reference identifier that is passed into the server endpoint >> > identification for the TLS handshake performed with https://mail.google.com >> > results from an untrusted name transformation, and this >> > is very relevant for the security considerations of this I-D. >> >> I'm not sure what kind of trust you were expecting here, but the >> transformation is authorized by https://gmail.com, so there is no reason >> the user shouldn't trust it for the purpose of interacting with the >> service she knows as https://gmail.com . > > This transformation is _NOT_ authorized by the user, so if anything > deserves a scary warning page, then it's this transition. > > The user only said "enter that site", I do not think it is > appropriate for the browser to turn this into "go to that site > and totally enslave me". The redirect behavior you are complaining about is (as we all know) a core facet of the HTTP protocol. Said protocol doesn't differentiate such behavior based on whether it is running over secure transport or not. This is simply how it works, for better or worse. Also, generously cross-mapping domain names for administrative and user convenience is a common practice. From Google's perspective, the "name" gmail.com maps to mail.google.com, and that's their decision to make since it's their web application they are offering. Its probably more straightforward in their app code for all the app URIs to use the authority component of "mail.google.com" rather than that of whatever entry point (e.g. "gmail.com") the user selected (by whatever means). Kudos to them for doing it all properly over TLS/SSL such that no errors pop up. In any case, HTTP redirects are a fact, as are multiple (DNS) names for (web) applications/services/servers/entities. "the Web" is built on both of these. Doing it all over secure transport isn't *necessarily* different than doing it over unsecured transport. We (who're working on -tls-server-id-check) are not going to address or change the above (in this spec) and so I feel further stepping down this rat-hole is inappropriate in discussing this spec. That said, I acknowledge that HTTP redirects can be put to all sorts of evil use, and perhaps the "Web Security Context: User Interface Guidelines (WSC-UI)" <http://www.w3.org/TR/wsc-ui/> should more explicitly and thoroughly discuss user agent behavior in terms of when one is "redirected away from" a "secure web app". Note that the user agent on its own, without guidance from such an app or prior configuration, determine whether any particular redirect is "authorized" or not (and neither can the user) due to aforementioned DNS name mapping, app linking, etc. We've all seen those app warnings from time to time "you're about to be redirected away from our site/app, just be aware, click here to follow the link..." -- this doesn't appear to be mentioned in WSC-UI. HTH, =JeffH