IETF Logo Mail Archive

Re: exposing certificate information (current + upcoming)

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 10 May 2019 13:13 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CF491201A2 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 10 May 2019 06:13:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.9
X-Spam-Level:
X-Spam-Status: No, score=-2.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, MAILING_LIST_MULTI=-1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JZA8Oh7dIhKW for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 10 May 2019 06:13:22 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [IPv6:2603:400a:ffff:804:801e:34:0:38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 873A2120021 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 10 May 2019 06:13:22 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1hP5Ib-0003um-TQ for ietf-http-wg-dist@listhub.w3.org; Fri, 10 May 2019 13:10:53 +0000
Resent-Date: Fri, 10 May 2019 13:10:53 +0000
Resent-Message-Id: <E1hP5Ib-0003um-TQ@frink.w3.org>
Received: from mimas.w3.org ([2603:400a:ffff:804:801e:34:0:4f]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <ilariliusvaara@welho.com>) id 1hP5IZ-0003tP-9a for ietf-http-wg@listhub.w3.org; Fri, 10 May 2019 13:10:51 +0000
Received: from welho-filter1.welho.com ([83.102.41.23]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <ilariliusvaara@welho.com>) id 1hP5IX-0003WO-H9 for ietf-http-wg@w3.org; Fri, 10 May 2019 13:10:51 +0000
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id DEB661572B for <ietf-http-wg@w3.org>; Fri, 10 May 2019 16:10:23 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id rlqL0lqwB4Nh for <ietf-http-wg@w3.org>; Fri, 10 May 2019 16:10:23 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 9E52472 for <ietf-http-wg@w3.org>; Fri, 10 May 2019 16:10:22 +0300 (EEST)
Date: Fri, 10 May 2019 16:10:22 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20190510131022.GA891203@LK-Perkele-VII>
References: <BA35C55E-E096-49DA-BBC5-D5A34756FC67@greenbytes.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <BA35C55E-E096-49DA-BBC5-D5A34756FC67@greenbytes.de>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: ilariliusvaara@welho.com
Received-SPF: none client-ip=83.102.41.23; envelope-from=ilariliusvaara@welho.com; helo=welho-filter1.welho.com
X-W3C-Hub-Spam-Status: No, score=-3.5
X-W3C-Hub-Spam-Report: AWL=1.062, BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1hP5IX-0003WO-H9 29a782744093b54a8ef79cfe4f674339
X-Original-To: ietf-http-wg@w3.org
Subject: Re: exposing certificate information (current + upcoming)
Archived-At: <https://www.w3.org/mid/20190510131022.GA891203@LK-Perkele-VII>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/36629
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

On Fri, May 10, 2019 at 12:46:53PM +0200, Stefan Eissing wrote:
> Christophe Brocas (@cbrocas), organizer of Pass-the-Salt security conference, tweeted 
> about checking HTTP server certificates against CT logs to detect very early if someone
> successfully highjacked one of your domains.
> 
> A renewed certificate is often not immediately used on a server but activated on the
> next restart which can be several hours away. To check if a certificate mentioned in a
> CT log, one would need to obtain information about upcoming certificates as well.

If the certificate managment is automated, the time window between
obtaining the certificate from CA and deploying it to production
is typically much faster than few hours, typically few seconds to few
tens of seconds, altough some setups deploy in sub-second timescales
and some may take hundreds of seconds.

This is because the clients typically reload the webserver after any
run which changed the certificates (the craziest setups hot-reload from
inotify, or something similar).


Regarding using CT for highjack detection, there is proposed mechanisms
for CT "gossip" where clients send recently seen certificates or pointers
thereof to the webserver, which can then alert admins on reports of
unknown publically trusted certificates. I do not think there are any
concrete specifications about that however (only some drafts).


-Ilari

v2.23.0 | Report a Bug | By Email