IETF Logo Mail Archive

Re: [httpwg/http-extensions] Consulting the DNS on expanding ORIGIN set? (#330)

HTTP issue updates <http-issues@ietf.org> Sat, 08 July 2017 02:21 UTC

Delivered-To: http-issues@ietfa.amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=github.com; h=from:reply-to:to:cc:in-reply-to:references:subject:mime-version:content-type:content-transfer-encoding:list-id:list-archive:list-post:list-unsubscribe; s=s20150108; bh=E6W57B+4RmcH0qIzU181JulBeoA=; b=QSCzrTb5I/KHOmX0 7BNM4S7QRW5ibBOIhGRwahXIbWqw7JRjrQJF4A8jeKcezH02KHK+KgXz9/FAkE6D WdRAdE2rh6+cJ+j5s0VbyKrrF8utz8VnMFuOw7JCdzkzzwbA80zrkj9I966A3jSX U64YfUhAO+F98aK7lbAMx0HH+Vs=
Date: Sat, 08 Jul 2017 02:21:12 +0000
To: httpwg/http-extensions <http-extensions@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
In-Reply-To: <httpwg/http-extensions/issues/330@github.com>
References: <httpwg/http-extensions/issues/330@github.com>
Subject: Re: [httpwg/http-extensions] Consulting the DNS on expanding ORIGIN set? (#330)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5960419819cb3_456f3ffcda08bc384768c"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
Archived-At: <https://mailarchive.ietf.org/arch/msg/http-issues/G9LACxfqG_2YuBGi32ox1TgZqNw>
Message-ID: <mailman.5957.1499480476.31347.http-issues@ietf.org>
From: HTTP issue updates <http-issues@ietf.org>
Reply-To: http-issues@ietf.org
X-BeenThere: http-issues@ietf.org
X-Mailman-Version: 2.1.22
List-Id: HTTP issue updates <http-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-issues>, <mailto:http-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/http-issues/>
List-Post: <mailto:http-issues@ietf.org>
List-Help: <mailto:http-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-issues>, <mailto:http-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Jul 2017 02:21:16 -0000

> I'm trying to understand your second concern WRT operational behavior of clients. The origins being added are explicitly nominated by the server; presence in the certificate is not enough to cause the connection to be used (indeed, that concern was a large part of the motivation of this draft).

I believe that limiting origin-set and connection reuse was the original motivation for this draft, however, it seems that possible use cases changed a bit because of [draft-bishop-httpbis-http2-additional-certs](https://datatracker.ietf.org/doc/html/draft-bishop-httpbis-http2-additional-certs), which together with this draft, makes it possible to expand the origin-set and effectively hijack traffic for all domains that server has valid SSL certificates for.

Even ignoring the compromised server scenario, there are at least a few operational issues with bypassing DNS:

1. Many medium to large companies use multiple CDN providers and steer traffic using DNS. They use either custom GeoDNS solutions or services like [Cedexis](https://www.cedexis.com/solutions/multi-cdn/) to load balance traffic across multiple CDNs, or simply use one of the CDNs as the primary and rest as active backups. All those CDNs have valid SSL certificates, so neither CT nor certificate pinning would help.
Similarly, some websites migrate traffic to DDoS protection services only during attacks, but those services are configured and have valid SSL certificates at all times.
**Basically, configured != active.**

2. Servers with wildcard certificates can takeover all traffic for the domain, even if some subdomains would never be routed to a particular server. To give an extreme example, let's say that `www.bank.com`, `promotions.bank.com`, etc. are served by the CDN, but `secure.bank.com` is handled by the bank's own infrastructure. There is nothing stopping the CDN with valid certificate for `*.bank.com` from hijacking the traffic for `secure.bank.com`, and while certificate pinning would prevent traffic for `secure.bank.com` from reaching the CDN, it would effectively result in DoS and pretty bad end-user experience.

One solution that came up in discussions with @grittygrease and @enygren, was to include signed DNSSEC response in the `ORIGIN` frame, to prove that the traffic should be routed to this particular server. This obviously solves only part of the problem, since it doesn't mean that traffic from _this particular client_ would be routed to that server, but it's much better than servers going completely wild.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/httpwg/http-extensions/issues/330#issuecomment-313827663

v2.23.0 | Report a Bug | By Email