Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)

"Richard Backman, Annabelle" <> Thu, 31 October 2019 21:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6809D120826 for <>; Thu, 31 Oct 2019 14:09:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MCwQZ9sqTB2D for <>; Thu, 31 Oct 2019 14:09:13 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CB4C6120090 for <>; Thu, 31 Oct 2019 14:09:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;; q=dns/txt; s=amazon201209; t=1572556153; x=1604092153; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=YTYBy8HlAjjVjG+U4dzvWlrnAkTrDfPRwbukg0BqRUs=; b=FB1piUWsNFKiNNVKPdFs4623DZ0NtOjDo2hha8lf7nThGgOMjQ5TBXS4 jCoBJug3N/ZVGHfTUeVwFXePqRSaIKDTZzpbyeVXtMErgS1cZJNdLThWr HvN1YrXkaGKUooxtNC88xb4v8In/yBd51RV5sWeVW+PwE+epd6d7CgC3z E=;
IronPort-SDR: ukw5nlKt/np/WyicLy9LG2em68d15AX0PZmPG73k7Zp3PoCXbgAXAxAwFIfARLmQHgqLOEEEto EqlON3YoYmoA==
X-IronPort-AV: E=Sophos;i="5.68,253,1569283200"; d="scan'208,217";a="2463338"
Received: from (HELO ([]) by with ESMTP; 31 Oct 2019 21:08:55 +0000
Received: from ( []) by (Postfix) with ESMTPS id E4E37A1701; Thu, 31 Oct 2019 21:08:53 +0000 (UTC)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1367.3; Thu, 31 Oct 2019 21:08:53 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1367.3; Thu, 31 Oct 2019 21:08:52 +0000
Received: from ([]) by ([]) with mapi id 15.00.1367.000; Thu, 31 Oct 2019 21:08:52 +0000
From: "Richard Backman, Annabelle" <>
To: Neil Madden <>
CC: "" <>
Thread-Topic: [UNVERIFIED SENDER] Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)
Date: Thu, 31 Oct 2019 21:08:52 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/10.1b.0.190715
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_CF72E390C79D4CA98DEE546B992F91B6amazoncom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 31 Oct 2019 21:09:15 -0000

The comparison the bearer tokens is illustrative of the problems I and others are pointing out:

  *   Bearer tokens are embedded in the value of the header, not the header itself, which partially alleviates the concern I raised regarding request signing algorithms.
  *   Bearer tokens are typically relatively short-lived, providing some mitigation against exfiltration through logs.
  *   Bearer tokens are typically dynamically generated, and are therefore less likely to be embedded in source code or config files in a project’s repository.
  *   Bearer tokens are called tokens, and are presented as secrets and are always expected to be treated as secrets.

The random header name is effectively an infinite-lifetime, statically defined bearer token presented in a way that does not at all make clear and obvious that it is a secret that must be protected, and in fact makes it more likely that it will be revealed, rendering it useless. And like all bearer tokens, even under ideal conditions it by definition CANNOT BE USED TO AUTHENTICATE THE SENDER.

There is a certain amount of irony in the idea of the security of a Mutual TLS deployment ultimately coming down to a bearer-token header name passed between the reverse proxy and the protected service. 😂

> if you forget to validate the signature *nothing fails*

Replace the HMAC with encryption and you solve that problem, as it forces the service to decrypt the value using the correct key in order to access the client certificate data. Whether or not that’s worth doing is something we can debate in the context of an actual proposal.

Annabelle Richard Backman
AWS Identity

From: Neil Madden <>
Date: Thursday, October 31, 2019 at 1:17 PM
To: "Richard Backman, Annabelle" <>
Cc: "" <>
Subject: [UNVERIFIED SENDER] Re: [OAUTH-WG] client certs and TLS Terminating Reverse Proxies (was Re: I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt)

On 31 Oct 2019, at 18:55, Richard Backman, Annabelle <> wrote:

Relying on a fixed, random header name for security, even as a “defense in depth” measure, is dangerous. In order for this mechanism to be effective, the header name must be random (in the cryptographic sense) and must be kept secret. It needs to be withheld from request logs or error logs, either on the reverse proxy or on the service. It cannot be committed to code repositories.

Just like any other bearer token.. I mean this is the *OAuth* WG, right? Where we regularly recommend people send bearer tokens in headers? I don’t really understand how that can be considered secure to send over the internet to a cloud service, but suddenly becomes insecure when done inside the firewall within a datacenter between a reverse proxy and an app server.

I mean, are people honestly suggesting that randomizing header names introduces *new* vulnerabilities that aren’t present when you use a well-known name? “Dangerous” even!

Including it as a signed header in request signing algorithms that require an explicit list of signed headers (such as AWS Signature Version 4<>, draft-cavage-http-signatures<>, draft-ietf-oauth-signed-http-request<>) turns that signature metadata into a secret, meaning that it cannot be logged, etc. If signatures are sent to a central authority for processing, that authority must also know not to log the list of signed headers. I could go on, but I hope this is enough to express that there are SO MANY ways that header names can and will be revealed, and they aren’t always obvious.

What we are talking about is a message authenticity problem. The best practices for providing message authenticity involve applied crypto, e.g., an HMAC or digital signature over the header contents. If an implementation does that, then the random header name is unnecessary. This approach is immune to the sort of misconfiguration scenarios that have been discussed in this thread, as they would result in the reverse proxy failing to provide a properly signed header to the service.

I agree that HMAC signatures are generally better, but which reverse proxies support signing headers?

Actually HMAC signatures do have one significant downside compared to using a random header name - if you forget to validate the signature *nothing fails*. If you mess up the name of a random header then your app doesn’t see any credentials and fails noisily.

— Neil