Re: [DNSOP] New Version Notification for draft-rebs-dnsop-svcb-dane-00.txt
Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 12 December 2021 20:14 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 358193A0ADC for <dnsop@ietfa.amsl.com>; Sun, 12 Dec 2021 12:14:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wP1N71UfJAFr for <dnsop@ietfa.amsl.com>; Sun, 12 Dec 2021 12:14:42 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D00AE3A0ACC for <dnsop@ietf.org>; Sun, 12 Dec 2021 12:14:42 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 768F0F45DB; Sun, 12 Dec 2021 15:14:41 -0500 (EST)
Date: Sun, 12 Dec 2021 15:14:41 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop@ietf.org
Message-ID: <YbZYMaWoI2uJAJwe@straasha.imrryr.org>
Reply-To: dnsop@ietf.org
References: <163908832760.8339.4135304026578566025@ietfa.amsl.com> <CAHbrMsCbN8+2UCQLCYKvp5RZ_v+srMha5xU25A9Q9F=ASna9xA@mail.gmail.com> <F9919030-4B37-42DE-BE7B-73BAAFDC5433@dukhovni.org> <m1mw0U9-0000IMC@stereo.hq.phicoh.net> <YbV6LCozgx3GhGE7@straasha.imrryr.org> <m1mwKYQ-0000H0C@stereo.hq.phicoh.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <m1mwKYQ-0000H0C@stereo.hq.phicoh.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FuLIeVgatA3CA61mkUzDHG0L6iQ>
Subject: Re: [DNSOP] New Version Notification for draft-rebs-dnsop-svcb-dane-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Dec 2021 20:14:44 -0000
On Sun, Dec 12, 2021 at 09:49:57AM +0100, Philip Homburg wrote:
> >> There is something I don't understand about this draft.
> >
> >The main thing to understand is that complex applications like browsers
> >allow data retrieved from one endpoint to script interaction with a
> >*different* endpoint, and possibly see the retrieved content, subject to
> >various CORS (Cross-origin resource sharing) controls.
>
> Indeed this is subject to CORS. Nothing new here. Any browser needs to get
> this right.
Perhaps I failed to explain the issue, but that does not mean that there
is no issue.
The browser may be communicating with a victim server believing its name
to be the same as the attacker's server, and therefore allowing attacker
served scripts (from a prior connection) to script the interaction with
the victim server. The victim server may believe it has a secure
connection with the client (based perhaps a client-certificate-signed
handshake) and may allow it retrieve sensitive data.
Cookie-based authentication does not appear to be vulnerable here, since
the browser would presumably not send victim site cookies to a site
it believes to be the attacker.
If the victim site uses https, but authenticates clients by internal IP
alone, again there could be an issue.
I don't know how to explain this better, you could ask on a cryptography
or TLS-related forum, this is DNSOP, where the expertise tends to be of
a different nature.
--
Viktor.
- [DNSOP] Fwd: New Version Notification for draft-r… Ben Schwartz
- Re: [DNSOP] New Version Notification for draft-re… Viktor Dukhovni
- Re: [DNSOP] New Version Notification for draft-re… Philip Homburg
- Re: [DNSOP] New Version Notification for draft-re… Viktor Dukhovni
- Re: [DNSOP] New Version Notification for draft-re… Philip Homburg
- Re: [DNSOP] New Version Notification for draft-re… Viktor Dukhovni
- Re: [DNSOP] New Version Notification for draft-re… Ben Schwartz
- Re: [DNSOP] New Version Notification for draft-re… Viktor Dukhovni
- Re: [DNSOP] [Ext] New Version Notification for dr… Paul Hoffman
- Re: [DNSOP] [Ext] New Version Notification for dr… Paul Wouters
- Re: [DNSOP] New Version Notification for draft-re… Ben Schwartz
- Re: [DNSOP] New Version Notification for draft-re… Viktor Dukhovni