IETF Logo Mail Archive

Re: [HASMAT] wrt port numbers - comment 51 bug 495115 (bugzilla.mozilla.org)

Adam Barth <ietf@adambarth.com> Sat, 17 July 2010 00:30 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: hasmat@core3.amsl.com
Delivered-To: hasmat@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B6B273A69E6 for <hasmat@core3.amsl.com>; Fri, 16 Jul 2010 17:30:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.763
X-Spam-Level:
X-Spam-Status: No, score=-0.763 tagged_above=-999 required=5 tests=[AWL=-0.646, BAYES_20=-0.74, FM_FORGED_GMAIL=0.622, WEIRD_PORT=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FGvsjTARASB9 for <hasmat@core3.amsl.com>; Fri, 16 Jul 2010 17:30:17 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id 4B36F3A68A7 for <hasmat@ietf.org>; Fri, 16 Jul 2010 17:30:04 -0700 (PDT)
Received: by iwn38 with SMTP id 38so2872272iwn.31 for <hasmat@ietf.org>; Fri, 16 Jul 2010 17:30:16 -0700 (PDT)
Received: by 10.231.161.80 with SMTP id q16mr1613148ibx.142.1279326616013; Fri, 16 Jul 2010 17:30:16 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by mx.google.com with ESMTPS id e8sm12014230ibb.2.2010.07.16.17.30.14 (version=SSLv3 cipher=RC4-MD5); Fri, 16 Jul 2010 17:30:14 -0700 (PDT)
Received: by iwn38 with SMTP id 38so2872256iwn.31 for <hasmat@ietf.org>; Fri, 16 Jul 2010 17:30:14 -0700 (PDT)
Received: by 10.231.203.15 with SMTP id fg15mr1546017ibb.187.1279326614161; Fri, 16 Jul 2010 17:30:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.143.145 with HTTP; Fri, 16 Jul 2010 17:29:54 -0700 (PDT)
In-Reply-To: <4C40B0F7.4010008@KingsMountain.com>
References: <4C40B0F7.4010008@KingsMountain.com>
From: Adam Barth <ietf@adambarth.com>
Date: Fri, 16 Jul 2010 17:29:54 -0700
Message-ID: <AANLkTiknk-L7XalNxfNZdWQuxH9HmrWM8vRsJO1jsDuq@mail.gmail.com>
To: =JeffH <Jeff.Hodges@kingsmountain.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: IETF HASMAT list <hasmat@ietf.org>
Subject: Re: [HASMAT] wrt port numbers - comment 51 bug 495115 (bugzilla.mozilla.org)
X-BeenThere: hasmat@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: HTTP Application Security Minus Authentication and Transport <hasmat.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hasmat>
List-Post: <mailto:hasmat@ietf.org>
List-Help: <mailto:hasmat-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hasmat>, <mailto:hasmat-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Jul 2010 00:30:19 -0000

Here's the response I gave on the bug:

[[
With respect to port numbers, I think that's not well covered in the spec.  The
way it works in chrome is that the STS state is for the whole host (this is
important to protect secure cookies, which are shared by the whole host).  For
the redirect behavior: port numbers are preserved except port 80 is changed to
port 443 because 80 is the default port for http.
]]

> If you want to keep it simple, and only address the standard configuration,
> my
> proposal is:
>
> - restrict the redirection to http requests that go to port 80

That's not a good idea.  It's an importnat security property that the
browser never issues an HTTP request for hosts with STS enabled.  The
reasons for this are somewhat subtle and revolve around deficiencies
in the cookie protocol.  Essentially, because cookies do not have
integrity, you want to rule out the possibility of an active network
attacker responding to such requests with a Set-Cookie header.

Another way of thinking about the situation is as follows:

1) An STS server is promising never to use HTTP or send broken certificates.
2) If we're trying to issue an HTTP request to example.com:8080, then
that's not what example.com wants and we shouldn't do it.

Adam


On Fri, Jul 16, 2010 at 12:20 PM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote:
>
> Comment 51    Kai Engert <kaie@kuix.de>      2010-07-13 17:23:36 PDT
> https://bugzilla.mozilla.org/show_bug.cgi?id=495115#c51
>
>
> One more detail which I don't see addressed in the spec yet: port numbers!
>
> IMHO the primary key should not be "host", but "host:port".
> Also, what happens if the server choses to issue an redirect to a
> non-standard
> port number?
>
> The current code is hard-coded to always construct STS-host uris to the
> default
> port (-1 = 443).
>
> The current code will fail if a STS-host choses to redirect to
>
> https://www.host.com:444
>
> The current code will do funky things if there are two separate http servers
> running on the same host, e.g.
>
> - http://host.com/ (default 80)
> and
> - http://host.com:8080
>
> This configuration is often used on web servers, where the default port is
> the
> actual server, and the additional port is a web-site-maintenance interface.
>
>
> Let's say www.site.com is using port 80 for the public web and is used to
> redirect to 443.
>
> www.site.com is behind a firewall and won't allow connections to ports other
> than 80 and 443 from the outside world.
>
> www.site.com has a plain http maintenance interface on port 8080.
>
> I think with the current code, it's impossible to connect to
> http://www.site.com:8080, because our http engine will always catch that
> request and redirect to https://www.site.com:443/
>
>
> If you want to keep it simple, and only address the standard configuration,
> my
> proposal is:
>
> - restrict the redirection to http requests that go to port 80
>
>
> ---
> end
>
>
>
> _______________________________________________
> HASMAT mailing list
> HASMAT@ietf.org
> https://www.ietf.org/mailman/listinfo/hasmat
>

v2.23.0 | Report a Bug | By Email