Re: [secdir] Secdir review of draft-ietf-httpbis-replay
Magnus Nyström <magnusn@gmail.com> Thu, 03 May 2018 04:10 UTC
Return-Path: <magnusn@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65E5212D7F2; Wed, 2 May 2018 21:10:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 875TgVLhAbk9; Wed, 2 May 2018 21:10:51 -0700 (PDT)
Received: from mail-pf0-x22c.google.com (mail-pf0-x22c.google.com [IPv6:2607:f8b0:400e:c00::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17DE5120727; Wed, 2 May 2018 21:10:51 -0700 (PDT)
Received: by mail-pf0-x22c.google.com with SMTP id j5so13611565pfh.2; Wed, 02 May 2018 21:10:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=CfeEerq54o+Ghl/QoAckUmQSa+89mRBWTza3+oQMz6I=; b=VzmSGmlae86xJFbYczXKIDctp90TY+clznEydle7RGanNE9KbliuVVihc8XiPhiJqk UVvWolahysSwxZPJ01t4gWtzZ8BtPJGb0BRmnFjpSiEU76ruet+vRJhsYtdCaDZVcHep p+jBHqJPJDuYGrlEfI988F5v3kPBhRBoeDi+P4QQ0UAIBfgDK7pYg8f4PVz6YQc34v61 PwRcw1o3EfVJ1GYL48wDxRdJh7JFR6GDyMa+m7xe8LMrv3XlkF7MedLgK2mjhOTmEpfY b2ahHVt6wQTig+RH5dpGh2W8eWmzSPqF6/HjYAI6TwwQMkwpol9ZYo6xzBfbdGzxuSQP OsIw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=CfeEerq54o+Ghl/QoAckUmQSa+89mRBWTza3+oQMz6I=; b=IyEOO2rI7WMcsx9pmEYVbZsr14i0Rz8KYdzVA+Mu1VENV44Crex0B5gKXec6YOfHj4 m2AMmAdkp6+eZEO99kKz7BJF+ZdV74Gzy8+v/zEQt52Qt3nS30PXd2PMc8WzZyIynaFm k57fvdllalgOuMhO/QM4wPNCc7TzZW9z5PNnAqFBRqc6MZE5IgTNrFXlDrZUSSGi9usD Bd7F5LI3/ow4Q+HbU4XPIySTY6gqhII40CVRI/8HCBYmHaBkY/dPNj7kcfPlzMxpO8yd /Eq38jnXnQh9JhTdxEYgeLOXkO9r1VQ3xstsY3Fkbe3/Tz1P60m2ZjoQ0Z9eXxMvncqc VKDg==
X-Gm-Message-State: ALQs6tAjH7zBAulkzVwb4ow/n9nQoJj9EEWMJHzZu46yNGlCElLy15ji 1wYKSeAPzZ6WM9xh0UoaHN6xA7hi7iwIsOWSFNw=
X-Google-Smtp-Source: AB8JxZopwVn1JHGn0FdlpQf1AM9om+jzDzIRiOi25A81hLJeKmHzLRhgEd1nRuxbQMPU/suHoV8x1hmTPxry2S/F3ng=
X-Received: by 2002:a17:902:1e3:: with SMTP id b90-v6mr21942092plb.273.1525320650611; Wed, 02 May 2018 21:10:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.164.165 with HTTP; Wed, 2 May 2018 21:10:50 -0700 (PDT)
In-Reply-To: <CABkgnnVRX3ZkSE=fxsRUvCOyV8VT3cG2kAMVtf6X85DGGkB3fw@mail.gmail.com>
References: <CADajj4a1TCqksCoUSWraM+H9Nft0nD5Mu9u38-u-c4jugUKTPQ@mail.gmail.com> <20180502064035.GA12016@1wt.eu> <CABkgnnVRX3ZkSE=fxsRUvCOyV8VT3cG2kAMVtf6X85DGGkB3fw@mail.gmail.com>
From: Magnus Nyström <magnusn@gmail.com>
Date: Wed, 02 May 2018 21:10:50 -0700
Message-ID: <CADajj4Z6+ZYf1XAHADq_tcykv2gkpTWC0VwN6xRju176WgVJ2Q@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>, secdir@ietf.org, draft-ietf-httpbis-replay@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008c61a3056b456304"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/-TL10oNeuzfW_d5DhV6VGwzkiRw>
Subject: Re: [secdir] Secdir review of draft-ietf-httpbis-replay
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 May 2018 04:10:53 -0000
Yes Martin, I think all of those changes are improvements - thanks for considering! /M On Wed, May 2, 2018 at 6:51 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > Yes, thanks Magnus, > > I think that Willy answered the primary concerns. I'm not sure that there > is anything actionable in those, but if you have a suggestion for > improvement, that would be appreciated. > > > > - Section 2, first sentence: Insert "data" after "application" > > This is fixed in the editor's copy (long story there, but the draft you > reviewed was *slightly* out of date). > > > > - In Section 3, step 3, it is stated that: "If the server receives > multiple > > > requests in early data, it can determine whether to defer HTTP > processing > > > on a per-request basis," however, in Section 4, it is stated that: > "Note > > > that a server cannot choose to selectively reject early data at the TLS > > > layer. TLS only permits a server to accept all early data, or none of > it" - > > > I guess this may be consistent (it will accept all data, but can > > > selectively defer processing), but it is a bit confusing. > > > Probably that we need to refine the wording. The point in section 3 was > > to make it clear that early data may affect multiple requests > (pipelining, > > HTTP/2 multiplexing), and point 4 tries to clarify the fact that the TLS > > layer provides you a data stream, part of which was received as early > > data, and that the server has no choice but to consume them all or reject > > them all. > > When I went to look at this, I noticed that we don't really explain that > rejecting 0-RTT is possible. That's an important option, even if it is > pretty severely limited. > > So I added that: > 2. The server can reject early data. A server cannot selectively > reject early data, so this results in all requests sent in early > data being discarded. > > Full change at: https://github.com/httpwg/http-extensions/pull/602 > > In doing so, I think that the context needed to interpret step 3 (now step > 4) is available. > > > > - The attack in Section 4 is outlined as follows: "An attacker sends > early > > > data to one server instance that accepts and processes the early data, > but > > > allows that connection to proceed no further. The attacker then > forwards > > > the same messages from the client to another server instance that will > > > reject early data. The client then retries the request, resulting in > the > > > request being processed twice." > > > This seems a little convoluted - how would the attacker know, before > the > > > client has sent the first message, that it is what the client will > send? Is > > > the attacker's first message to a server instance intercepted from the > > > client? If so, suggest making that clear. > > > Indeed, that was based on intercepted and replayed traffic. With an > > individual hat, I agree that the example is a bit conflated. But the > > point here was mostly to expose the risks that could happen by lazy > > implementations that would take some shortcuts (like automatically > > retrying on timeout for a client or a server accepting to process > > unsafe early-data requests). > > Yeah, maybe this alternative is better: > Automatic retry creates the potential for a replay attack. An > attacker intercepts a connection that uses early data and copies the > early data to another server instance. The second server instance > accepts and processes the early data. The attacker then allows the > original connection to complete. Even if the early data is detected > as a duplicate and rejected, the first server instance might allow > the connection to complete. If the client then retries requests that > were sent in early data, the request will be processed twice. > > Details at: https://github.com/httpwg/http-extensions/pull/603 > -- -- Magnus
- [secdir] Secdir review of draft-ietf-httpbis-repl… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-httpbis-… Willy Tarreau
- Re: [secdir] Secdir review of draft-ietf-httpbis-… Martin Thomson
- Re: [secdir] Secdir review of draft-ietf-httpbis-… Magnus Nyström