Re: [precis] I-D Action: draft-ietf-precis-7564bis-09.txt
Sam Whited <sam@samwhited.com> Mon, 18 September 2017 15:10 UTC
Return-Path: <sam@samwhited.com>
X-Original-To: precis@ietfa.amsl.com
Delivered-To: precis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0436413428D for <precis@ietfa.amsl.com>; Mon, 18 Sep 2017 08:10:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.721
X-Spam-Level:
X-Spam-Status: No, score=-2.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=samwhited.com header.b=cbHpbp20; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=LDcCi6WW
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yabPYC_HPuPh for <precis@ietfa.amsl.com>; Mon, 18 Sep 2017 08:10:46 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CFB51321A2 for <precis@ietf.org>; Mon, 18 Sep 2017 08:10:46 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 98AC3212DD; Mon, 18 Sep 2017 11:10:45 -0400 (EDT)
Received: from web5 ([10.202.2.215]) by compute4.internal (MEProxy); Mon, 18 Sep 2017 11:10:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samwhited.com; h=cc:content-transfer-encoding:content-type:date:from :in-reply-to:message-id:mime-version:references:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=VwUXWCfv9DLSuAa7M 5yiHquDU6a45imJm55/NMRFffs=; b=cbHpbp20m9yvLYrHkEa9w3rHrtWKN1pfw oFHqxhjUg18vJVNs2bBGPYWvvBTYlwIg62lNP1iXgHe8nsr8ZYLGXlsvTHOJm3f+ NQRUYcEqE1+tpuxTqFQHFV9jpzQ7/ICRhunzCq9N2dHjTN4rpdOPDxX9FtT+olWM rlt74mD3+a5SRyooquYYzmjBt+sQfBcybfndwpnKzGDDKEo6V30omeo4g0dsrct2 W4qjL48wdkQlEuQaS8jZ6jXAfVNQoqXGFwjxcYEycHiTNCNCf+rUsWthwRi8FFCM KewhrZBFA+PCD6beU5lwzwh4c/nhNfqwEyR4cW+0IA4gqxXnjOS4w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=VwUXWC fv9DLSuAa7M5yiHquDU6a45imJm55/NMRFffs=; b=LDcCi6WWmzk+/oIy+YWFxM RgTrPJhBDvK2YCim+WEv2UIoGaeibJxZeu/7o01o1jERvT1pEN1tMHKhRAgNhb28 7GsuUrC8ospkRx41A3FtLHY+KpQ5aZhb7chzGFgGJIx2R/BWZj7SyUBFE3lodTYr QVTGspPDBRfC+42mXNNKl5XgYy/Xyp+SEJ8MnLksm1WcNxlq7mDQqRKIrMy4mfUe yfizpzREnXBA5S/UGsuoVaTlH119KjQwYVGfqUusQzz+6j11bcU55LTXNWqX/9zM GKlYV4GOpDch5uh64VRmpz4nwL4/mpiaPNHlvg7dgIYl7od6AnvqyTxiAVnRkCRg ==
X-ME-Sender: <xms:9eG_WbA7mM9HGiIDvRDikYpvgpvA-Pvo6hVNCanUwaZN--2N_gszlg>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 3900F9E2E6; Mon, 18 Sep 2017 11:10:45 -0400 (EDT)
Message-Id: <1505747445.2679629.1109850960.22FF1F11@webmail.messagingengine.com>
From: Sam Whited <sam@samwhited.com>
To: Peter Saint-Andre <stpeter@stpeter.im>
Cc: precis@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-64b08692
In-Reply-To: <9ff90d8e-d130-0443-d3bd-4964b101f957@stpeter.im>
References: <150024725625.303.17137036571104960991@ietfa.amsl.com> <33f7468c-6742-7cbe-fa6f-70002c35cc62@stpeter.im> <CAHbk4RLa5AZp+sKUMoVOE2VsUmaDKGdWBqoTvurU_o=rj_OM0g@mail.gmail.com> <1504880015.1561911.1099626960.6CB0430C@webmail.messagingengine.com> <bd11bb2f-81a7-4081-ed49-15fa0fcb117c@stpeter.im> <1505397979.578298.1106052760.03A5025F@webmail.messagingengine.com> <0fc31e75-7893-c982-30b4-a6fe4ecae5fb@stpeter.im> <1505675616.1686212.1109016016.7A9E7FFE@webmail.messagingengine.com> <a50d8f06-2a2e-5062-5a9d-ace5b718090c@stpeter.im> <1505681506.1709856.1109072624.0D72B3D4@webmail.messagingengine.com> <70293ba4-d48d-fe38-4ea2-cfcb8254978c@stpeter.im> <1505695043.1765196.1109187000.6BDEAF89@webmail.messagingengine.com> <c1760796-0bde-d85c-9c67-b6eb934dfba8@stpeter.im> <1505705546.1810302.1109287696.57457A90@webmail.messagingengine.com> <9ff90d8e-d130-0443-d3bd-4964b101f957@stpeter.im>
Date: Mon, 18 Sep 2017 10:10:45 -0500
Archived-At: <https://mailarchive.ietf.org/arch/msg/precis/qd-Fg9uWu7vDbvK9AWkj2Y52KlE>
Subject: Re: [precis] I-D Action: draft-ietf-precis-7564bis-09.txt
X-BeenThere: precis@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Preparation and Comparison of Internationalized Strings <precis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/precis>, <mailto:precis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/precis/>
List-Post: <mailto:precis@ietf.org>
List-Help: <mailto:precis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/precis>, <mailto:precis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Sep 2017 15:10:49 -0000
On Mon, Sep 18, 2017, at 08:21, Peter Saint-Andre wrote: > Until we can get to the bottom of this, I'm going to ask the RFC Editor > to "pause the presses" for a few days. I'll try to find time later today > to propose a sentence or two that we can add to the introduction or > security considerations or both. Thanks. Let me try again to clarify why the current state of the RFCs makes me so nervous, and why I think the solution isn't as simple as adding more copy: We cannot address every security concern in every RFC. This brute force method (adding a new paragraph to the security considerations section) doesn't scale, and we'll never find all the specific issues. Instead, we have to write standards in such a way that it actively difficult to make a mistake that will lead to a security flaw (not that we shouldn't document any potential gotchas that we can't get rid of, but we should also make them hard to do in the first place). One way we do this is with consistency. Right now, the nickname profile is the *only* profile that is non-idempotent, this is inconsistent. The reason this matters is that most developers won't read the RFC carefully (or possibly, at all). There is nothing we can do about this, and when developers don't read the RFC we should not blame them for the flaws that result. Reading an RFC is a huge amount of work, so naturally most people won't. Instead we need to write specs in such a way that they won't break it if they just look at the examples, or just skim the sections that sound like they're related to what the dev is trying to do. When I implemented PRECIS I did read the core RFC, built tables, added rules, built an API for composing those rules into profiles, and then went to create the profiles. I did *not* read the profile RFCs (until later when reviewing them for this process, but that's not something most devs will do). Instead, I skipped down to the section that listed the rules for enforcement, saw case mapping, width mapping, etc. and threw those the existing transformers I'd written together in the order specified and called it a day. If I had not been on this mailing list I would never have known that the nickname profile was non-idempotent. This is how most developers will probably do things. Adding more text to address security concerns won't help, since they never saw what was there already. If they didn't get the message from X pages of text, they're even less likely to get it from X+n pages. Even if I did notice that the nickname profile is non-idempotent, there are pressures against a correct implementation: multiple passes over the data makes an already expensive operation even more expensive (2–3 times more in the naive case) and it's just more work to do the right thing (whereas it's easy to pass that work onto the application developers using your implementation and assume they'll take care of it and iterate properly). All this means that, by default, the RFCs make it easy to leave the nickname profile non-idempotent (either by mistake, or intentionally due to the pressures against fixing it). The question then becomes: "is that a problem?" In the case of the non-idempotency of the nickname profile, I think the answer is "yes". For a somewhat concrete example, imagine a multi-user chat room. If a user connects and sets their nickname, a single iteration of the nickname profile is run on it, and it *should* match another user in the room but doesn't because of this issue, that user can use the nickname and is allowed into the room. This may be fine, we expect this to happen anyways on occasion because we're using the freeform class. Now, however, the user sends a query to the server that is handled by a third party system; maybe it's a file upload that is delegated to another server which stores the file at /files/<nickname>/myfile. This second application applies the nickname profile again, however, this now makes it identical to the original users nickname (because the fileserver got a nickname that the chat server already enforced) and their files get stored in the same place, meaning the new user whos nickname is slightly different can overwrite the first users files and use that to send malicious files to the original chat participants friends even though as far as the chat system is concerned they are separate users. This is a silly contrived example, and maybe the administrators shouldn't have been using the nickname profile for their filenames in the first place in this case, but any time there are two systems that might both enforce the nickname profile you end up with a possible inconsistency like this, and I'm sure there will be one where it feels perfectly reasonable to use the nickname profile, but where the actual vulnerability comes from the fact that you don't expect the nickname to end up being different between the two systems. Note that in this example that it only matters that the chat server used a broken implementation that did not iterate multiple times, the file server could be using a perfectly correct implementation and the issue would still exist. —Sam
- [precis] I-D Action: draft-ietf-precis-7564bis-09… internet-drafts
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Peter Saint-Andre
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Sam Whited
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… William Fisher
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Peter Saint-Andre
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Peter Saint-Andre
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Sam Whited
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Peter Saint-Andre
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Sam Whited
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Peter Saint-Andre
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Sam Whited
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Peter Saint-Andre
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Sam Whited
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… William Fisher
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Peter Saint-Andre
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Sam Whited
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Peter Saint-Andre
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Peter Saint-Andre
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Peter Saint-Andre
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Sam Whited
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Peter Saint-Andre
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Sam Whited
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Peter Saint-Andre
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Sam Whited
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Peter Saint-Andre
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Sam Whited
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Marc Blanchet
- Re: [precis] I-D Action: draft-ietf-precis-7564bi… Peter Saint-Andre