Re: Trust and provacy problems with draft-loreto-httpbis-explicitly-auth-proxy
Paul Wouters <paul@nohats.ca> Mon, 05 May 2014 16:16 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A99E71A02CF; Mon, 5 May 2014 09:16:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.651
X-Spam-Level:
X-Spam-Status: No, score=-2.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yiHnC9VHqSVs; Mon, 5 May 2014 09:16:03 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id 018771A02B6; Mon, 5 May 2014 09:16:02 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id E6712804DA; Mon, 5 May 2014 12:15:55 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1399306555; bh=3Vrt+uWAdDlXvqbm51j9Ih3183+BlH1iHhE+cgNWGg4=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=qVoWbVgrP7uTB8QyO1Wcf139R66Q6JWTuMo0nsa8UrhqUo6WX7vNwQsLirM5D4Rbw B7NqDpJjrbzOdzzDuU1sfioaSz7TgH+Hlsky5+roIlK1AUmHzObMf/VCvzzwgyCx1R z+WbYxvZRNmMUntvC031ZohlzURhTkU5NnZlBMYI=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id s45GFqCK026731; Mon, 5 May 2014 12:15:53 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Mon, 05 May 2014 12:15:52 -0400
From: Paul Wouters <paul@nohats.ca>
To: ietf@ietf.org, saag@ietf.org
Subject: Re: Trust and provacy problems with draft-loreto-httpbis-explicitly-auth-proxy
In-Reply-To: <536775D2.4090708@raphaeldurand.fr>
Message-ID: <alpine.LFD.2.10.1405051158150.24575@bofh.nohats.ca>
References: <536775D2.4090708@raphaeldurand.fr>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/BI88VlWSsvbLe-f1-adIJyqvKVs
X-Mailman-Approved-At: Tue, 06 May 2014 08:57:58 -0700
Cc: draft-loreto-httpbis-explicitly-auth-proxy@tools.ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2014 16:16:05 -0000
On Mon, 5 May 2014, Raphaël Durand wrote: > I've just read the draft draft-loreto-httpbis-explicitly-auth-proxy, and I see a lot of trust and privacy problem in this > "Explicit auth proxy". > https://datatracker.ietf.org/doc/draft-loreto-httpbis-explicitly-auth-proxy/?include_text=1 > > The first problem is in the "opt-out" section (3.3). > First, it has to be "opt-in" not "opt-out" (it's called an "explicit auth proxy isn't it ?") It refers to the user having accepted to proxy for everything and than explicitely excluding something. So I don't have a problem with that specific toggle - I do, like you, have a problem with the entire document. > "To ensure the trustfulness of proxies, certification authorities validation procedure for issuing proxy certificates > should be more rigorous than for issuing normal certificates and may also include technical details and processes relevant > for the security assurance." > > No, public CA must not sign these certificates. Proxies certificates must be signed by a local CA explicitly trusted by the > user. I fully agree. > "6. Security Considerations > "Those resources are protected end-to- end between user agent and origin server as usual." > > No they are not, there is a third-party proxy between them. The user do not operate it, so he can't trust it. Indeed, and it further interferes and breaks out-of-band key validation, such as TLSA/DNSSEC. So a protocol modification is completely useless, as the application needs to turn off so many security features, it might as well take the certificate check/override into the application as well. I must say, it is becoming rather tiring to see new incantations of protocol modifications to account for "legalised MITM attacks". How many times do we have to repeat that is a problem to be solved at the application and/or OS level and not at the protocol level? We have enough problems keeping our protocols secure without adding dangerous protocol-based legalised attack modes into our protocols. I am strongly against in-band MITM protocol modifications as specified by this draft, its precursor drafts, and the inevitable follow up drafts. Take your legalised enterprise MITM ideas to the OS and browser vendors. Paul
- Trust and provacy problems with draft-loreto-http… Raphaël Durand
- Re: Trust and provacy problems with draft-loreto-… Yoav Nir
- Re: Trust and provacy problems with draft-loreto-… S Moonesamy
- Re: Trust and provacy problems with draft-loreto-… Salvatore Loreto
- Re: Trust and provacy problems with draft-loreto-… Paul Wouters
- Re: Trust and provacy problems with draft-loreto-… Raphaël Durand