IETF Logo Mail Archive

Re: [pkix] How do we differentiate authentic servers from proxies performing TLS interception?

"Miller, Timothy J." <tmiller@mitre.org> Mon, 30 November 2015 13:26 UTC

Return-Path: <tmiller@mitre.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3E761ACCEB for <pkix@ietfa.amsl.com>; Mon, 30 Nov 2015 05:26:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.311
X-Spam-Level:
X-Spam-Status: No, score=-2.311 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lUEi7Klf1wc8 for <pkix@ietfa.amsl.com>; Mon, 30 Nov 2015 05:26:06 -0800 (PST)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) by ietfa.amsl.com (Postfix) with ESMTP id 617531ACCDC for <pkix@ietf.org>; Mon, 30 Nov 2015 05:26:06 -0800 (PST)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id E3D0A6C02E8; Mon, 30 Nov 2015 08:26:05 -0500 (EST)
Received: from imshyb01.MITRE.ORG (imshyb01.mitre.org [129.83.29.2]) by smtpvmsrv1.mitre.org (Postfix) with ESMTP id D55016C0284; Mon, 30 Nov 2015 08:26:05 -0500 (EST)
Received: from imshyb01.MITRE.ORG (129.83.29.2) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Mon, 30 Nov 2015 08:26:05 -0500
Received: from na01-by2-obe.outbound.protection.outlook.com (10.140.19.249) by imshyb01.MITRE.ORG (129.83.29.2) with Microsoft SMTP Server (TLS) id 15.0.1130.7 via Frontend Transport; Mon, 30 Nov 2015 08:26:05 -0500
Received: from BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) by BY2PR09MB109.namprd09.prod.outlook.com (10.242.36.149) with Microsoft SMTP Server (TLS) id 15.1.331.20; Mon, 30 Nov 2015 13:26:03 +0000
Received: from BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) by BY2PR09MB109.namprd09.prod.outlook.com ([10.242.36.149]) with mapi id 15.01.0331.023; Mon, 30 Nov 2015 13:26:03 +0000
From: "Miller, Timothy J." <tmiller@mitre.org>
To: "noloader@gmail.com" <noloader@gmail.com>, Peter Bowen <pzbowen@gmail.com>
Thread-Topic: [pkix] How do we differentiate authentic servers from proxies performing TLS interception?
Thread-Index: AQHRHSZik1bCWQTVykKbY4mwcvoviJ6YWKZQgAA+FQCAAAsmwIAADlcAgAAW2ICABOg5gIAAD9yAgABLa4CAAZ0/gIAFapQAgAPddQCAAprfAIAAK88AgAAgI4CACNEQEA==
Date: Mon, 30 Nov 2015 13:26:03 +0000
Message-ID: <BY2PR09MB10973FAC4B869F6F7E6D676AE000@BY2PR09MB109.namprd09.prod.outlook.com>
References: <BY2PR09MB1094EA71ADDC83440AE82F2AE120@BY2PR09MB109.namprd09.prod.outlook.com> <20151112163810.E8F351A368@ld9781.wdf.sap.corp> <BY2PR09MB109B9B70BC1746B516CB335AE120@BY2PR09MB109.namprd09.prod.outlook.com> <CAH8yC8n41uA-Aj3pLKRHgjGu1P6smwG-r-dA595rXHMjhAZC_A@mail.gmail.com> <BY2PR09MB10945A7D32E11E8C5E74750AE120@BY2PR09MB109.namprd09.prod.outlook.com> <201511152227.tAFMRTjH000463@d01av04.pok.ibm.com> <6ADE63A8-8B81-48F5-BF37-F91B734935C3@mitre.org> <CAH8yC8=XK12R=ox=Uw2jYyk_z0ukB4nbpeVbiyb-ZGOKMSskFQ@mail.gmail.com> <5E42AC43-684C-4CCE-900C-1CD20E88267F@mitre.org> <CAH8yC8mk7MnFa34507-z_ERZFba675bQ+VR-wrreC8w2O=-LHg@mail.gmail.com> <690F0024-1027-49DE-809F-DC89E68B3DD9@mitre.org> <CAH8yC8my4kPh4gCw1PxKNzeQiatBsc2bqi+Y3Tf_4dxtUMatfw@mail.gmail.com> <CAK6vND9Z2jmc_b71Bit-=4yO5n7_cX4V+7UGM_JsYbbkgWi33w@mail.gmail.com> <CAH8yC8=zwiiSUG7S=+BQLYZY4R8GcHY5ZRE=yguBGPASw13cXA@mail.gmail.com>
In-Reply-To: <CAH8yC8=zwiiSUG7S=+BQLYZY4R8GcHY5ZRE=yguBGPASw13cXA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=tmiller@mitre.org;
x-originating-ip: [192.160.51.88]
x-microsoft-exchange-diagnostics: 1; BY2PR09MB109; 5:3VDv76bh1j/g+QrJQRzdJMpaN9ua0maTsXdLnjUb/msykygXQ2iTwFBNGQEbSYoXnWdC2DnvqGnTfRVVlIV4TQdYqB0s7R7Qt8ZSYmP3H3HCL2FleJNH7D+l83rSjBxC2ku02Z/jhUvRJEpeBsreAA==; 24:+r+nD6znDkLjLX15ibNYLY7hqEZVM9MRDJZdGkfgmcsAcseq9aHEsZPI98sNfC4GUCz55hiJh6+7GnksvD0I81Sw3V9GIJMRBOEcXO01Ojw=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR09MB109;
x-microsoft-antispam-prvs: <BY2PR09MB10994BBA627EBB1FED8E362AE000@BY2PR09MB109.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(520078)(10201501046)(3002001); SRVR:BY2PR09MB109; BCL:0; PCL:0; RULEID:; SRVR:BY2PR09MB109;
x-forefront-prvs: 0776C39A48
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(189002)(199003)(81156007)(106356001)(11100500001)(40100003)(2950100001)(74316001)(5002640100001)(2900100001)(93886004)(106116001)(105586002)(586003)(86362001)(87936001)(99286002)(92566002)(122556002)(10400500002)(54356999)(5008740100001)(189998001)(33656002)(66066001)(6116002)(50986999)(5001770100001)(77096005)(5003600100002)(5004730100002)(1220700001)(1096002)(5001960100002)(76576001)(3846002)(101416001)(102836003)(2501003)(76176999)(97736004); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR09MB109; H:BY2PR09MB109.namprd09.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: mitre.org does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Nov 2015 13:26:03.2262 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR09MB109
X-OriginatorOrg: mitre.org
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/3IChyAVAq3CAyCDdc9YNFLYw9jY>
Cc: PKIX <pkix@ietf.org>
Subject: Re: [pkix] How do we differentiate authentic servers from proxies performing TLS interception?
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2015 13:26:08 -0000

> Its still not clear to me how to determine the "good" bad guys from the "bad"
> bad guys.

You can't.  That's not information you can encode because the definitions change with different perspectives.  Consider an intercept performed by a government agency: a government supporter may consider this acceptable, whereas a political dissident may consider it unacceptable.  

Your choices are to either fail closed, i.e., don't allow breaking the pinset under any conditions, or to pick some rubric by which breaking a pinset is allowed. Chrome's current implementation--discarding a pinset when the presented certificate chains to a locally installed trust anchor--is one example but by no means the only possibility.

If I were to offer any advice, I would urge you to implement a clear UI that informs the user when a pinset bas been discarded no matter what other choice you make.

-- T

v2.20.3 | Report a Bug | By Email