IETF Logo Mail Archive

RE: draft-nottingham-httpbis-origin-frame

Mike Bishop <Michael.Bishop@microsoft.com> Mon, 14 March 2016 23:21 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A7DC12D7E2 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 14 Mar 2016 16:21:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.022
X-Spam-Level:
X-Spam-Status: No, score=-7.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5RwNcb7SC2_L for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Mon, 14 Mar 2016 16:21:26 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50F6912D7BD for <httpbisa-archive-bis2Juki@lists.ietf.org>; Mon, 14 Mar 2016 16:21:26 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1afbio-0000mp-CD for ietf-http-wg-dist@listhub.w3.org; Mon, 14 Mar 2016 23:16:22 +0000
Resent-Date: Mon, 14 Mar 2016 23:16:22 +0000
Resent-Message-Id: <E1afbio-0000mp-CD@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1afbig-0000kW-3k for ietf-http-wg@listhub.w3.org; Mon, 14 Mar 2016 23:16:14 +0000
Received: from mail-bl2on0122.outbound.protection.outlook.com ([65.55.169.122] helo=na01-bl2-obe.outbound.protection.outlook.com) by maggie.w3.org with esmtps (TLS1.2:RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1afbie-0007Rn-BE for ietf-http-wg@w3.org; Mon, 14 Mar 2016 23:16:13 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Xzxvwpq3L7sHkoRsRWJgfys2jw5Y6qCLWe61q2xinRk=; b=EunCNPMUCafG3TLygjPYsERjcsb9Pr4lJzprpCGBmwz86saZNW/v2GMetQt/xWV1XOY6TDYtxusyT7udFrpHSfKQJ/DBO3tVPk9CtD+NbWWJeOktmM+IPqZjpPdacGFAjnVna+D4fo6S5awIdCh354+9OKdfb5yejxU+fep/OOo=
Received: from BL2PR03MB1905.namprd03.prod.outlook.com (10.164.115.25) by BL2PR03MB1905.namprd03.prod.outlook.com (10.164.115.25) with Microsoft SMTP Server (TLS) id 15.1.403.16; Mon, 14 Mar 2016 23:15:44 +0000
Received: from BL2PR03MB1905.namprd03.prod.outlook.com ([10.164.115.25]) by BL2PR03MB1905.namprd03.prod.outlook.com ([10.164.115.25]) with mapi id 15.01.0403.017; Mon, 14 Mar 2016 23:15:44 +0000
From: Mike Bishop <Michael.Bishop@microsoft.com>
To: Martin Thomson <martin.thomson@gmail.com>, Patrick McManus <pmcmanus@mozilla.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Thread-Topic: draft-nottingham-httpbis-origin-frame
Thread-Index: AQHRfhmZgYD2x9IrUk+mEDKSRnen159ZjkSAgAAC1gA=
Date: Mon, 14 Mar 2016 23:15:44 +0000
Message-ID: <BL2PR03MB190534500BB0D7701F5D7AA487880@BL2PR03MB1905.namprd03.prod.outlook.com>
References: <CAOdDvNo2TpVLkE+7o5L6OcxN6G7sWuAYnRF6OXM1LA7xYd2PJg@mail.gmail.com> <CABkgnnVQLWo0=VXQSLNNNxGnYEC4Lnqtj2Q2ReYjWKP5D+1Ogw@mail.gmail.com>
In-Reply-To: <CABkgnnVQLWo0=VXQSLNNNxGnYEC4Lnqtj2Q2ReYjWKP5D+1Ogw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:e::24b]
x-ms-office365-filtering-correlation-id: 9af4db69-71ef-4b1e-602c-08d34c5e91c7
x-microsoft-exchange-diagnostics: 1; BL2PR03MB1905; 5:ibbvcsMFxajqLMrbex+p2njUkiPP1umdFi5dQ8wzfmpaBfcoa84UfDGrnFlJSfCw+3xAMIz0bVi0jvthGkI9dWQGDwwjEDGPiEsx+WsIp+Qrc28DGvoJZ8FJN+K4FGH5cu8lRNGtduUcEMdGfOw++Q==; 24:xLgj16fRuOBf6iP4OkhmraUPnFcWH4Ja3Jcvj1WcAAZYnnrwJP36/fg/0Jmk831C3sntB1gm+oS0hu9QjKFVWjinKjggym78r+JAZVO+W4s=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BL2PR03MB1905;
x-microsoft-antispam-prvs: <BL2PR03MB1905F90E317E2A9D9C66278387880@BL2PR03MB1905.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(61426038)(61427038); SRVR:BL2PR03MB1905; BCL:0; PCL:0; RULEID:; SRVR:BL2PR03MB1905;
x-forefront-prvs: 0881A7A935
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(51444003)(24454002)(13464003)(377454003)(5003600100002)(5008740100001)(2950100001)(74316001)(230783001)(2900100001)(189998001)(5002640100001)(77096005)(4326007)(102836003)(6116002)(5001770100001)(586003)(76576001)(92566002)(81166005)(11100500001)(122556002)(1096002)(1220700001)(33656002)(2906002)(19580405001)(19580395003)(3660700001)(99286002)(10090500001)(10290500002)(10400500002)(87936001)(86362001)(106116001)(50986999)(5005710100001)(54356999)(3280700002)(76176999)(8990500004); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2PR03MB1905; H:BL2PR03MB1905.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Mar 2016 23:15:44.4208 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL2PR03MB1905
Received-SPF: pass client-ip=65.55.169.122; envelope-from=Michael.Bishop@microsoft.com; helo=na01-bl2-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: AWL=-2.363, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_NW=0.5
X-W3C-Scan-Sig: maggie.w3.org 1afbie-0007Rn-BE 945bce5cb5446e99ffadddd4681af635
X-Original-To: ietf-http-wg@w3.org
Subject: RE: draft-nottingham-httpbis-origin-frame
Archived-At: <http://www.w3.org/mid/BL2PR03MB190534500BB0D7701F5D7AA487880@BL2PR03MB1905.namprd03.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31259
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

I'm hesitant to drop DNS altogether. It's not quite part of the security model, but it kind of is. By requiring DNS to match, an attacker has to subvert either DNS or IP routing. My draft was targeting the case where the server has the same IP address, but multiple certificates. (Of course, if you're trying to support non-SNI clients….) I still prefer Alt-Svc to provide a link from the original origin to the endpoint claiming to have the certs.

-----Original Message-----
From: Martin Thomson [mailto:martin.thomson@gmail.com] 
Sent: Monday, March 14, 2016 4:00 PM
To: Patrick McManus <pmcmanus@mozilla.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: draft-nottingham-httpbis-origin-frame

On 15 March 2016 at 04:40, Patrick McManus <pmcmanus@mozilla.com> wrote:
> The DNS restriction of 7540 is really about sane routing of requests 
> to the right server by getting an opt-in that indicates configuration. 
> Its not really about security - DNS is not really part of the security model.


I 99% agree.  The other 1% is reserved for a minor concern about the way the security model interacts with the rest of the system.

When a URL becomes known to a client, it then seeks out a server that can serve that authority.  RFC 7540 didn't fundamentally change that by allowing coalescing: the same process was followed, we just allowed certain steps to be merged with work already done.

However, this would skip the DNS step entirely.  That's not bad, because we don't rely on it for any sort of security property.
However... it does allow for some interesting capture scenarios.

For example, if I were able to steal a certificate for a few interesting names, I would only have to capture a connection toward a single one of those names in order to effectively intercept all requests to those names.  With Alt-Svc, I would be able to continue that capture as long as the theft remained viable.  With Mike's additional certs, it's possible to use different stolen certificates.

It's a small concern, because I think that the risk is small in comparison to the potential gain, but I don't think that this is something that we can reasonably ignore.

v2.23.0 | Report a Bug | By Email