IETF Logo Mail Archive

Re: [httpapi] Using Date in requests

Martin Thomson <mt@lowentropy.net> Thu, 10 February 2022 02:59 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: httpapi@ietfa.amsl.com
Delivered-To: httpapi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 105BA3A12F9 for <httpapi@ietfa.amsl.com>; Wed, 9 Feb 2022 18:59:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=d69Sq/r2; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=iOdHsGwH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QfsBrcWUh3aO for <httpapi@ietfa.amsl.com>; Wed, 9 Feb 2022 18:59:21 -0800 (PST)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D5EF3A12F5 for <httpapi@ietf.org>; Wed, 9 Feb 2022 18:59:21 -0800 (PST)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id 0E4DD3200F76 for <httpapi@ietf.org>; Wed, 9 Feb 2022 21:59:20 -0500 (EST)
Received: from imap41 ([10.202.2.91]) by compute2.internal (MEProxy); Wed, 09 Feb 2022 21:59:21 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm1; bh=EVf8jvhQp9+CtN03TnXKlS2j83SMFP7gjXmTh6 FOy8k=; b=d69Sq/r2gWS0ObJyiPK2te5uW3bn5Figw+nzuTVjw4Eo3PlcpB18nM eK7gKmFhHBWhqi3e8/NbVpG+0BgMrNkSH2dCWy3BnbwtMzErnblc+OaOQZoOlU55 yszwPKNfZgHcVeaSXPgtEEE6i9UEUpZP+PSUkDEzBdcs/HoD1GLFNS6g5SW1qZVT ws7iJagoXJM3jnyi2UfDb/S1XdrIPPWPgRKJtmENVNdA5SgOERX2corCNQr577k9 XDmRpcRMKOYOroUhvwLh2hLY6X0TiNKrH+pMIDrSs/IAVuk6lo6WnM8hPWd6CaEU 5LUvFeOnYDSutkWXlJOpavqddRt4TlgA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=EVf8jvhQp9+CtN03T nXKlS2j83SMFP7gjXmTh6FOy8k=; b=iOdHsGwH5mJlV9W6npU4E4M6L0BORzcgC KnsCSfCU5Sk7Tflx6Pc8kJ9wfXS6rS6af9Uk/V01D0Hkf6TcQeGipng7Td9z38D8 CvV55XyaFZFdFOjbuqnZGGsS/ldRKYOahShF+3FsiTecGHMJUqR/Fzob31fQ1U3G JQXI+vfzNbhh9LgakewPtuoAbjV4u8VAX6yYl8ciQA/E+N1Y5HecHhUXT88Lgryk 0t2xt0jZGaMvgUekiVOvEzegMmAahmlW5xUAgjOFtZxIjaR4BE9bOI2rM3/IOz/Z 4e/BZ2K7lOpgJslOiELITd3wCwqJkHoapR/4DMsRVZ+P1zr0hnF4w==
X-ME-Sender: <xms:iH8EYhOOo0x3OKVqlbt9U70ENsbjwErpch-IaIMVLJcScP1PrrI4Zg> <xme:iH8EYj-swk5pwTdOST5jfDxfqmS6LWbH1Fdm_uV58wJm_evQsNusFKmU3dawANcp4 Uq4NnnWw7-wKNrYIxU>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvvddriedtgdehudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohif vghnthhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnheptdevtddvgeevkeeiteekud fgffduieegvdfhffefgfdvleffkeetvefgfeeutdfhnecuffhomhgrihhnpehivghtfhdr ohhrghdpghhithhhuhgsrdgtohhmnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrg hmpehmrghilhhfrhhomhepmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:iH8EYgRJGNNLEZOxc2hmBPZ3AP1fvkBwS_SHRvD6wvY67iOo3l84YQ> <xmx:iH8EYtsahL-rWDCPzQMgzZNp7EOx2n4sdUxOaFPv_PKb220wY2d7lw> <xmx:iH8EYpf1hyP2c3suzTwORU8R2UxNMmjBdJynw7AQ_DAmehPaS9jlCw> <xmx:iH8EYjqIYlhcDrfdSUsKrt4bBhUpAfMxAVyr9wgsSdbpHlK8u_S6mA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 654C13C0F8A; Wed, 9 Feb 2022 21:59:20 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-4748-g31a5b5f50e-fm-cal2020-20220204.001-g31a5b5f5
Mime-Version: 1.0
Message-Id: <e2a0d071-7801-41dd-8b54-54142544670d@beta.fastmail.com>
In-Reply-To: <710c5984-6dd5-bdd7-af55-ea3e4d6c9b67@bucksch.org>
References: <054f7a17-d8df-42a6-9d36-0f3aca00c159@beta.fastmail.com> <710c5984-6dd5-bdd7-af55-ea3e4d6c9b67@bucksch.org>
Date: Thu, 10 Feb 2022 13:59:01 +1100
From: Martin Thomson <mt@lowentropy.net>
To: httpapi@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/httpapi/hzk7M3YDaeVUiuX_hFevEQpo65I>
Subject: Re: [httpapi] Using Date in requests
X-BeenThere: httpapi@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Building Blocks for HTTP APIs <httpapi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/httpapi>, <mailto:httpapi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/httpapi/>
List-Post: <mailto:httpapi@ietf.org>
List-Help: <mailto:httpapi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/httpapi>, <mailto:httpapi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Feb 2022 02:59:26 -0000

Hi Ben,

You will note that the system I describe is almost exactly like the one you have.  It's just that the "arbitrary number" is formatted as a Date field.  The resulting change (if any) is stored in the same way as a cookie, with all the same considerations.

I agree that this is suboptimal, but we're dealing with a system that exists.  More expansive solutions are less likely to get implemented, particularly for niche use cases.  Not many people want to include dates in requests.  Many of those that do can use something like JWT/JWS rather than a Date field (same problems of course).  

Spelling it differently won't change much, except make the change more disruptive.  I'm looking to make a surgical tweak that many people won't notice in order to deal with the problem.  I think that's an easier change to enact than a more comprehensive change, even if that change might be more principled.

Also, for all those cases where people do use dates and get the problems you cite, the draft proposes a nice problem message ... and automated remediation strategy.

Cheers,
Martin

p.s., Funny you should say that clocks might be wrong by minutes.  I've seen years and have credible reports of *decades*.

On Wed, Feb 9, 2022, at 18:25, Ben Bucksch wrote:
> Am 09.02.22 um 06:29 schrieb Martin Thomson:
>> I've just posted https://www.ietf.org/archive/id/draft-thomson-httpapi-date-requests-00.html which talks about how to use Date in requests.  ... use Date for managing anti-replay. 
>
>
> Hello Martin,
>
> thanks for posting this and asking for feedback.
>
> I appreciate that you acknowledge the problem of clock screw in the 
> spec. Some clocks are so bad that they can easily be minutes out of 
> sync. Yet others are simply set to the completely wrong time, but the 
> user doesn't use that clock, so he doesn't know. This leads to serious 
> problems in such systems that compare clocks of different systems, 
> particularly if the systems are managed by different entities, like in 
> most client/server scenarios.
>
> I ran into that very painfully with JWT [1]. It took multiple 
> developers several days to debug a failure, which eventually turned out 
> to be a simple clock screw.
>
> I came to the conclusion that any system that compares clocks of two 
> different systems is inherently flawed. That general idea should be 
> avoided in any system - be it a custom site-specific security measure, 
> or an Internet standard.
>
> Rather, time should always be *relative*. Coincidentally, Einstein agreed ;-).
>
> So, what I would propose is rather something that works like a special 
> browser cookie. For the sake of the discussion, I call it "time 
> cookie", but it doesn't need to be technically a cookie, but it should 
> have the same storage properties and lifetime as a cookie, for privacy 
> and tracking purposes. This time cookie would contain a simple Integer, 
> and the only special thing about it is that the browser stores the 
> local time when it was received, and when it's sent, the browser adds 
> the *time difference between receiving and sending*, in the form of the 
> difference of Unixtime.
>
> For example, the server sends 1,000,000 . That's an arbitary Integer 
> value, but let's say the server uses the Unixtime of its local server. 
> When receiving, the browser stores this value, together with the 
> current local time, on the client system, e.g. as Unixtime (which is 
> let's say 1,001,000, i.e. client and server disagree by 1 000 seconds = 
> 17 minutes, but that doesn't matter). 10 seconds later, the browser 
> makes another request to the same server, and the browser sends the 
> server-supplied value of 1,000,000 plus 10 (seconds) = 1,000,010. The 
> server recieves this, the server compares it to its own local Unixtime 
> (or any other base value), and it matches, and the request works.
>
> If you were to send the client time, the client would have sent 
> 1,001,010, and the value would not have matched and the request would 
> have failed.
>
> I believe that such a system that sends *only* the time difference is 
> inherently safer and more reliable, less prone to security attacks, and 
> also eventually simpler to implement, if you consider all the 
> counter-measures that a system based on absolute time would have to 
> implement against clock screw and security attacks.
>
> I appreciate very much the thought that you put into all the problems 
> of clock screw, security attacks manipulating local time, and even 
> privacy threats that abuse the stored server-time for tracking. Very 
> well done. But I believe that all of these could be avoided by a system 
> and simply uses only relative time and never ever compares clocks 
> between two systems.
>
> Due to these known problems, I would recommend to explicitly *avoid* to 
> use a format that uses an absolute date/time format and instead to 
> intentionally specify that the browser sends the time difference in the 
> form of seconds or milliseconds. You all have experienced first hand 
> how often even the most simple things (like HTTP error codes) are 
> implemented without reading the specs carefully, so I am concerned that 
> many implementations will not consider the extensive thoughts about 
> clock screw that you put in, or probably won't even read any part of 
> the spec, but if there's a "Date" header in datetime format, many devs 
> will simply send the current local time, without any adjustment or 
> consideration. So, a system that is explicitly specced to transmit 
> *only* the time *difference* and does not use the format of an absolute 
> time is far more likely to be implemented correctly.
>
> Let's just forget the idea that there is an universally agreed absolute time. 
>
> Repectfully,
>
> Ben Bucksch
>
>
>
>
>
>
>
> [1] Very painful experience with JWT 
> <https://github.com/mozilla/addons-server/issues/1072>
>
> We wrote a script to upload [something to a third-party server] as part 
> of our build process. The code was working for [the dev who] wrote the 
> script, but I just got "Invalid authentication credentials".
>
> We were debugging it for hours and hours, suspecting shell argument 
> passing and parsing, OS differences and what not. We compared 
> credentials and confirmed they are identical. Still, the result was 
> different. During debugging, once, by coincidence, it worked. At a time 
> when it should be expired.
>
> What was the reason? My clock on my computer was fast.
>
> I was screaming. Client server protocols must NEVER EVER compare client 
> clocks with server clocks, because clocks are very often off. Even if 
> it was originally set exactly right by the second, clocks always have a 
> drift in one way or another. If you have 5 million users, you will 
> surely have [many] users whose clocks are off... In my case, my clock 
> was 95 seconds fast. That's not uncommon. I don't run ntpdate 
> regularly, because ntp regularly has security problems, too.
>
> This is a fatal misdesign of the protocol. You simply cannot compare 
> client clock with server clocks. That something that engineers 
> generally know from experience. Often hard lessons, like mine above. 
> Sometimes worse lessons, when 5 million people were hit by this problem.
>
>
>
>
> -- 
> httpapi mailing list
> httpapi@ietf.org
> https://www.ietf.org/mailman/listinfo/httpapi

v2.23.0 | Report a Bug | By Email