IETF Logo Mail Archive

Re: Signing Set-Cookie

Justin Richer <jricher@mit.edu> Tue, 07 June 2022 17:34 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E55DC157B59 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 7 Jun 2022 10:34:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.76
X-Spam-Level:
X-Spam-Status: No, score=-2.76 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J_U5xgbwK1zP for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 7 Jun 2022 10:34:53 -0700 (PDT)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1C91C14CF1B for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 7 Jun 2022 10:34:53 -0700 (PDT)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1nyd4E-0002Nx-96 for ietf-http-wg-dist@listhub.w3.org; Tue, 07 Jun 2022 17:32:34 +0000
Resent-Date: Tue, 07 Jun 2022 17:32:34 +0000
Resent-Message-Id: <E1nyd4E-0002Nx-96@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <jricher@mit.edu>) id 1nyd4C-0002N4-UP for ietf-http-wg@listhub.w3.org; Tue, 07 Jun 2022 17:32:32 +0000
Received: from outgoing-auth-1.mit.edu ([18.9.28.11] helo=outgoing.mit.edu) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <jricher@mit.edu>) id 1nyd4B-0000y9-Jq for ietf-http-wg@w3.org; Tue, 07 Jun 2022 17:32:32 +0000
Received: from smtpclient.apple (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 257HVuF9000543 (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 7 Jun 2022 13:31:57 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1654623117; bh=IDfGs6LuPu8SscX1JboX/3gMYhWCvde7lVwEc3xJxcM=; h=From:Subject:Date:In-Reply-To:Cc:To:References; b=Ng+dgDKo4lVECzWsIOkEw2zQqK7KJziGE+BDTk7/TAHPodRdxg0ocMiFU09NbTBSo ICHFPpwfyb6F8hrEWW/C++AnCGkgoJ5128mhZetU442ETzyP/nSTkNXRzTNCy1KLgj Kkaijq9DRlWhY4TLBY6Im2UpU+wUALwvssfoSUIN4KtqiiB9yto55hXSQe0J/4W1K0 eEl0hmC/rFiMwFxYfh20zJVM6GKLYdqTeSR+ODmc1GITTl4D1qeonnwWMSkHiVpoHK +mCXIpEpFq4bnbZ3nh0ibLLh5fHlaxt7o1gzf+kpQjnaR0yKGi+fdsJuS5qOwqF/40 rOUAukIG3IzoQ==
From: Justin Richer <jricher@mit.edu>
Message-Id: <E20AAD79-5757-4269-BFB1-6DD6CA8B2867@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_9230C31C-A1A4-4278-84D3-65BC7546C5AB"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
Date: Tue, 07 Jun 2022 13:31:55 -0400
In-Reply-To: <20220607062716.GA5885@1wt.eu>
Cc: Martin Thomson <mt@lowentropy.net>, HTTP Working Group <ietf-http-wg@w3.org>
To: Willy Tarreau <w@1wt.eu>
References: <A0601849-2870-4150-9926-5FA706D7F6DE@mit.edu> <CACcvr==K0gjhOaBaxt8vK80UYo1tAHVrh78yCcAEMvwx4tT=ag@mail.gmail.com> <7dff30c8-faac-413f-8387-f0a5a51fc6ff@beta.fastmail.com> <A659F1C6-97D6-48FB-BDED-B885AF93E553@mit.edu> <5f586a5b-4d62-40c8-8fa8-f747d08fd52f@beta.fastmail.com> <20220607062716.GA5885@1wt.eu>
X-Mailer: Apple Mail (2.3696.100.31)
X-W3C-Hub-DKIM-Status: validation passed: (address=jricher@mit.edu domain=mit.edu), signature is good
X-W3C-Hub-Spam-Status: No, score=-7.4
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1nyd4B-0000y9-Jq ea4f22fdb4d5456ba776d0453d1af11f
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Signing Set-Cookie
Archived-At: <https://www.w3.org/mid/E20AAD79-5757-4269-BFB1-6DD6CA8B2867@mit.edu>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/40078
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Jun 7, 2022, at 2:27 AM, Willy Tarreau <w@1wt.eu> wrote:
> 
> On Tue, Jun 07, 2022 at 08:28:08AM +1000, Martin Thomson wrote:
>> Hey Justin,
>> 
>> I don't agree that this is an acceptable way of dealing with this problem.
>> It makes the content under signature malleable.  Even if that is extremely
>> narrowly applicable, I don't see how we could publish a specification where
>> the only defense against an attack like this is text to the effect of "this
>> might happen".
> 
> Agreed. Signed contents may never be trusted more than the algorithm
> used to sign them. If you start by not trusting the algorithm, it's not
> by suggesting to be extra careful with the contents that we can deal
> with this. And the use of the signature is here precisely to help an
> implementation know if it may or may not trust the contents, so that
> would completely defeat the purpose.
> 

The signing algorithm is a separate dimension than the signature base generation algorithm (ie, what to sign). I completely agree that if you don’t trust your signing algorithm (beit from collision attacks or key distribution problems or other problems), then you can’t trust what you’re signing. It is not the goal of this specification to solve that problem for applications — nor should it be.

While I agree that the combination could potentially be problematic, and definitely is distasteful from a security purity standpoint, what I’m not seeing is an attack where two distinct non-theoretical valid values of Set-Cookie could be combined into another valid Set-Cookie header. Yes in theory there’s a comma in the syntax, but I’m not seeing how that could be used to mount an actual attack in a meaningful way. The two Set-Cookie headers combined would need to have the exact same content as the single Set-Cookie header on its own, but be interpreted in a different way by the verifier in such a way that would affect the application. The attacker here isn’t substituting a completely different value, and is not adding a value where one wasn’t before. Can someone please give me a concrete demonstration that shows this is something we should actually protect against and not just something to warn against?

Regardless, what is the recommended approach? Martin’s seems to be “throw out HTTP Signatures entirely”, but he’s said that since the work started. :) What I think though is that we’ve got a few potential approaches:

 - Never sign Set-Cookie
 - Never sign multiple Set-Cookie headers
 - Have a special syntax for dealing with Set-Cookie (probably a derived component, but I’m not thrilled about this one)
 - Warn against weirdness with multiple Set-Cookie headers

Any other approaches?

 — Justin

v2.23.0 | Report a Bug | By Email