Re: Secdir review of draft-ietf-httpbis-http2-encryption-10

Mark Nottingham <mnot@mnot.net> Thu, 02 March 2017 03:08 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B58A1296D7 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 1 Mar 2017 19:08:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.922
X-Spam-Level:
X-Spam-Status: No, score=-6.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O0cehBixCR1P for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 1 Mar 2017 19:08:52 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E610F129452 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 1 Mar 2017 19:08:51 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1cjH4H-000693-LO for ietf-http-wg-dist@listhub.w3.org; Thu, 02 Mar 2017 03:06:13 +0000
Resent-Date: Thu, 02 Mar 2017 03:06:13 +0000
Resent-Message-Id: <E1cjH4H-000693-LO@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mnot@mnot.net>) id 1cjH49-00068I-7w for ietf-http-wg@listhub.w3.org; Thu, 02 Mar 2017 03:06:05 +0000
Received: from mxout-07.mxes.net ([216.86.168.182]) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <mnot@mnot.net>) id 1cjH40-0006GM-SA for ietf-http-wg@w3.org; Thu, 02 Mar 2017 03:05:59 +0000
Received: from [192.168.3.104] (unknown [124.189.98.244]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id CD2A322E259; Wed, 1 Mar 2017 22:05:27 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CY4PR17MB0997309E466E776272827771DF290@CY4PR17MB0997.namprd17.prod.outlook.com>
Date: Thu, 02 Mar 2017 14:05:24 +1100
Cc: "secdir@ietf.org" <secdir@ietf.org>, The IESG <iesg@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <82B77F70-AC41-498D-A553-3E0E445936E0@mnot.net>
References: <CY4PR17MB0997309E466E776272827771DF290@CY4PR17MB0997.namprd17.prod.outlook.com>
To: Charlie Kaufman <charliekaufman@outlook.com>
X-Mailer: Apple Mail (2.3259)
Received-SPF: pass client-ip=216.86.168.182; envelope-from=mnot@mnot.net; helo=mxout-07.mxes.net
X-W3C-Hub-Spam-Status: No, score=-7.1
X-W3C-Hub-Spam-Report: AWL=2.484, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_DB=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1cjH40-0006GM-SA fd91571f248480dea428d7b7a4827570
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Secdir review of draft-ietf-httpbis-http2-encryption-10
Archived-At: <http://www.w3.org/mid/82B77F70-AC41-498D-A553-3E0E445936E0@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/33643
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Hi Charlie,

Thanks.

> On 2 Mar 2017, at 3:53 am, Charlie Kaufman <charliekaufman@outlook.com> wrote:
> 
> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments.
> 
> This document specifies a protocol allowing http servers to announce to clients that they allow http queries over TLS, and for capable clients to optionally retrieve content over TLS. The intent is to protect against passive eavesdropping attacks but to never cause errors due to problems with certificates or non-support of TLS by the origin server. It does not protect against server impersonation because there is no reliable way to learn that the server implements this feature The design uses the alternative service advertisement mechanism specified in RFC7838 and appears (at least to my naïve eyes) consistent with the syntax and spirit of that spec. It includes a number of mechanisms designed to prevent hijacking attacks.
>  
> I see no security issues with this document. It claims an intended status of Experimental, which seems surprising. I would expect this to be standards track.
>  
> The title of the document: "Opportunistic Security for HTTP" is a little misleading since I expect many in this community would like to see opportunistic encryption for HTTP/1.1, which could not be implemented with this specification. A better title might be "Opportunistic Encryption for HTTP/2".

That seems reasonable to me. See:
  https://github.com/httpwg/http-extensions/commit/93e79a9247ba8e734

 
> In general, the document has a long list of rules for when it is OK to do this and when it is not. It would be helpful to readers (and to people working on future revisions) if there were more explanations of why usage is so restricted (i.e., what could go wrong if the restrictions were ignored). I found myself wondering, for example, why server certificates needed to pass all the same restrictions as https when there is no cryptographic protection against server impersonation. I believe the answer is that without that restriction there are scenarios where the feature could make it logistically easier to impersonate a server without modifying DNS responses. But more explanation in the document would have been helpful.

I understand. I'm a little reluctant to start adding rationale for each requirement en masse at this stage; it feels likely that we'd misrepresent something.


>  Nits:
>  
> Last paragraph of section 1.1, there is an ambiguous antecedent.
>  
> Furthermore, this specification is not
> intended to replace or offer an alternative to "https", since it both prevents active attacks and invokes a more stringent security model in most clients.
>  
> Should be replaced with:
>  
> Furthermore, this specification is not
> intended to replace or offer an alternative to "https", since https both prevents active attacks and invokes a more stringent security model in most clients.

See:
  https://github.com/httpwg/http-extensions/commit/c3e04d1539

Cheers,

--
Mark Nottingham   https://www.mnot.net/