Re: [secdir] Secdir review of draft-ietf-httpbis-http2-encryption-10
Mark Nottingham <mnot@mnot.net> Thu, 02 March 2017 03:05 UTC
Return-Path: <mnot@mnot.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7DEE129452; Wed, 1 Mar 2017 19:05:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sWxHTunzqlFY; Wed, 1 Mar 2017 19:05:35 -0800 (PST)
Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 003DF1293EE; Wed, 1 Mar 2017 19:05:34 -0800 (PST)
Received: from [192.168.3.104] (unknown [124.189.98.244]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id CD2A322E259; Wed, 1 Mar 2017 22:05:27 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <CY4PR17MB0997309E466E776272827771DF290@CY4PR17MB0997.namprd17.prod.outlook.com>
Date: Thu, 02 Mar 2017 14:05:24 +1100
Content-Transfer-Encoding: quoted-printable
Message-Id: <82B77F70-AC41-498D-A553-3E0E445936E0@mnot.net>
References: <CY4PR17MB0997309E466E776272827771DF290@CY4PR17MB0997.namprd17.prod.outlook.com>
To: Charlie Kaufman <charliekaufman@outlook.com>
X-Mailer: Apple Mail (2.3259)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/7s0rZHMm9P2q_lYoDTn-xbTItlw>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-httpbis-http2-encryption-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 03:05:38 -0000
Hi Charlie, Thanks. > On 2 Mar 2017, at 3:53 am, Charlie Kaufman <charliekaufman@outlook.com> wrote: > > I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments. > > This document specifies a protocol allowing http servers to announce to clients that they allow http queries over TLS, and for capable clients to optionally retrieve content over TLS. The intent is to protect against passive eavesdropping attacks but to never cause errors due to problems with certificates or non-support of TLS by the origin server. It does not protect against server impersonation because there is no reliable way to learn that the server implements this feature The design uses the alternative service advertisement mechanism specified in RFC7838 and appears (at least to my naïve eyes) consistent with the syntax and spirit of that spec. It includes a number of mechanisms designed to prevent hijacking attacks. > > I see no security issues with this document. It claims an intended status of Experimental, which seems surprising. I would expect this to be standards track. > > The title of the document: "Opportunistic Security for HTTP" is a little misleading since I expect many in this community would like to see opportunistic encryption for HTTP/1.1, which could not be implemented with this specification. A better title might be "Opportunistic Encryption for HTTP/2". That seems reasonable to me. See: https://github.com/httpwg/http-extensions/commit/93e79a9247ba8e734 > In general, the document has a long list of rules for when it is OK to do this and when it is not. It would be helpful to readers (and to people working on future revisions) if there were more explanations of why usage is so restricted (i.e., what could go wrong if the restrictions were ignored). I found myself wondering, for example, why server certificates needed to pass all the same restrictions as https when there is no cryptographic protection against server impersonation. I believe the answer is that without that restriction there are scenarios where the feature could make it logistically easier to impersonate a server without modifying DNS responses. But more explanation in the document would have been helpful. I understand. I'm a little reluctant to start adding rationale for each requirement en masse at this stage; it feels likely that we'd misrepresent something. > Nits: > > Last paragraph of section 1.1, there is an ambiguous antecedent. > > Furthermore, this specification is not > intended to replace or offer an alternative to "https", since it both prevents active attacks and invokes a more stringent security model in most clients. > > Should be replaced with: > > Furthermore, this specification is not > intended to replace or offer an alternative to "https", since https both prevents active attacks and invokes a more stringent security model in most clients. See: https://github.com/httpwg/http-extensions/commit/c3e04d1539 Cheers, -- Mark Nottingham https://www.mnot.net/
- [secdir] Secdir review of draft-ietf-httpbis-http… Charlie Kaufman
- Re: [secdir] Secdir review of draft-ietf-httpbis-… Mark Nottingham
- Re: [secdir] Secdir review of draft-ietf-httpbis-… Martin Thomson