IETF Logo Mail Archive

Re: [quicwg/base-drafts] Request forgery attacks (#3995)

Kazuho Oku <notifications@github.com> Thu, 13 August 2020 07:59 UTC

Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E6F43A0848 for <quic-issues@ietfa.amsl.com>; Thu, 13 Aug 2020 00:59:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.1
X-Spam-Level:
X-Spam-Status: No, score=-3.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2LKfOC84yAAh for <quic-issues@ietfa.amsl.com>; Thu, 13 Aug 2020 00:59:13 -0700 (PDT)
Received: from out-26.smtp.github.com (out-26.smtp.github.com [192.30.252.209]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 207F53A0844 for <quic-issues@ietf.org>; Thu, 13 Aug 2020 00:59:13 -0700 (PDT)
Received: from github-lowworker-f62aa54.va3-iad.github.net (github-lowworker-f62aa54.va3-iad.github.net [10.48.17.68]) by smtp.github.com (Postfix) with ESMTP id 54A745E0058 for <quic-issues@ietf.org>; Thu, 13 Aug 2020 00:59:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1597305552; bh=TuV6Y5il6vxlaIOquwXIF7zpL0Trq3B8vPkDpfDx5Xo=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=ysg3pO/mtkZfqEVa0ozQ/FnjUGHWnH8zTU7XJ7Re+OQYLR+ERy4L8m/UBeIGeXdDu tMPlpvBFNZn/eCIcpEnPKO1bWxyMfn1WlIXJgA8sRb5AixX/eg2HE1jrkgIXMWfgXa xpXW8SSmJeJVKRQ2fEzpeOScm4IaTZHh5hVeXhtE=
Date: Thu, 13 Aug 2020 00:59:12 -0700
From: Kazuho Oku <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+AFTOJK4PTYFVJ6LGEFI7XFN5IDJ5BEVBNHHCQYGADU@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/3995/673325577@github.com>
In-Reply-To: <quicwg/base-drafts/issues/3995@github.com>
References: <quicwg/base-drafts/issues/3995@github.com>
Subject: Re: [quicwg/base-drafts] Request forgery attacks (#3995)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_5f34f2d0459cf_4a7f16f8137585"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: kazuho
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/hHb7pTch1-EnsuTUnukxlnN2vvU>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2020 07:59:15 -0000

@martinthomson Thank you for raising the issue.

I agree that NEW_TOKEN tokens and SPA are concerning. At the same time, I am not sure how much we have to worry about the encrypted payload being used as the attack vector.

> Therefore, frames carrying application data offer the attacker the means of indirectly controlling large portions of plaintext.

1-RTT packet protection key that is being used for encrypting the frames is *not* controlled by the attacker. The key is derived from the input of both endpoints. I am not sure how practical it would be to assume that a rouge server can calculate what the corresponding plaintext would be for an encrypted text that it wants to use for the attack, when the encryption keys are not obtained until the handshake is performed.

Regarding the amount of effort we should be spending to address this issue, I would point out that SSRF as we know today can induce a browser to send two types of TCP messages: 1) HTTP GET request (or preflight), 2) first flight of TLS over TCP.

I think we can call close the issue if we can make certain that the QUIC packets that the browsers send is as controlled as either of the two patterns.

Encrypted data meets the 2nd requirement. QUIC Initial packets are roughly as random and as binary as Client Hello of TLS over TCP. Encrypted part of QUIC packets are random and as binary as 0-RTT records of TLS over TCP.

Therefore, I think what we need to discuss is limited to NEW_TOKEN tokens and the DCID of SPA.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/quicwg/base-drafts/issues/3995#issuecomment-673325577

v2.23.0 | Report a Bug | By Email