[secdir] Secdir review of draft-ietf-httpbis-replay
Magnus Nyström <magnusn@gmail.com> Wed, 02 May 2018 05:46 UTC
Return-Path: <magnusn@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FD3212D77C; Tue, 1 May 2018 22:46:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id urpS0vfw7xPJ; Tue, 1 May 2018 22:46:44 -0700 (PDT)
Received: from mail-pf0-x236.google.com (mail-pf0-x236.google.com [IPv6:2607:f8b0:400e:c00::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27FCA12D86A; Tue, 1 May 2018 22:46:44 -0700 (PDT)
Received: by mail-pf0-x236.google.com with SMTP id w129so5400699pfd.3; Tue, 01 May 2018 22:46:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=4ieRGvRZfMgeQU3Ds/YxPGuf2mQzYF+LRkBONT+2d5I=; b=BqYwCs7OjvvGWhnMJArELZ6NxuswOURO7bsETAN9vd4yddgoeM5mII/Gt/gejP4UKQ Q7YHj/c9MDnIngweZuD4j+GogRfkmoLWTnjwa8v/5K6PxHodEB6Y3X7VO3DbZXGcUEjw 7cTfeNW7XWB4FjDgMkM4PN0AjGTuKqvgDw3Vbk/qz2p+inWRyjjukFppu67dtHtBhv+N /7ZiZMgSRHe3yM2nh4n0ZB542uvb+E++un/bkoaWT8pvxJzOXMWuy8xEUNjBQ93ESUuz cTC7wOMVfPEgNL7/0q0OpEWH60HpnU4mOpIrFsvBXOFm9XTLfdquS1rkZrd6tM1DtPbB BqRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=4ieRGvRZfMgeQU3Ds/YxPGuf2mQzYF+LRkBONT+2d5I=; b=CTFahmZJMC3/IilAPLsXNI/ZSDegbcyshTeSPsejhdQEgBk0OjsjqypIdR5xmKKdMc lg6GZ9zsvTYwnkK0znyd42vKPlbGMJOyY+Aqr2tqTSMM5csoOhJaxrxjsm7vX8geBh2r IJ7N6UUXmlmsF0ygzKvkdNvV8XAcqJW1a070AxxhlyHR2aovK7NRHV5z9Q/Zo9SZPkNB 3ZBM8JzMEAOvndTDp7JF9bnXPpCRSss4VAJ3K5HySsw5ieBv3cpC2tkYcVCbDvx4PBxX PDEo2u0B9L1hhb//1n+1EpRgu2/Ne4t4zeFAHnBeVTCctcjcXcC/178MKl3FJ1NqSrCo ldIg==
X-Gm-Message-State: ALQs6tDRSvHWnrKvXJjAmktEavnvZPi1J7l+KkGDiIfMUoLj6gZ+MOZz Iw2ArLHf6FAh8J+owKBsS401YxiUZM58Yr48xk8ruQ==
X-Google-Smtp-Source: AB8JxZrMqi3lRm84C3gWQTPVxYJF1XpI/ixQZ0hGc55u77txBA+tUAc8/eIptZg9efhuOy6FB8aegTTAqXSGnsUhu5A=
X-Received: by 2002:a17:902:8345:: with SMTP id z5-v6mr18325304pln.311.1525240003187; Tue, 01 May 2018 22:46:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.164.165 with HTTP; Tue, 1 May 2018 22:46:42 -0700 (PDT)
From: Magnus Nyström <magnusn@gmail.com>
Date: Wed, 02 May 2018 01:46:42 -0400
Message-ID: <CADajj4a1TCqksCoUSWraM+H9Nft0nD5Mu9u38-u-c4jugUKTPQ@mail.gmail.com>
To: secdir@ietf.org, draft-ietf-httpbis-replay@ietf.org
Content-Type: multipart/alternative; boundary="00000000000096594f056b329c56"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/F6wstLoBb0ImY5LLjkQZvOQw_Ao>
Subject: [secdir] Secdir review of draft-ietf-httpbis-replay
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2018 05:46:46 -0000
I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the security area
directors. Document editors and WG chairs should treat these comments just
like any other last call comments.
This document describes risk of using "early" (from a TLS 1.3 perspective)
data for HTTP and defines a mechanism for clients to communicate with
servers about such "early" data usage.
a) For the Early-data field processing, the memo states: "The "Early-Data"
header field is not intended for use by user agents (that is, the original
initiator of a request). ... A user agent that sends a request in early
data does not need to include the "Early-Data" header field " - would it
make sense to either forbid ("MUST NOT send the "Early-Data" header field)
or at least recommend against it ("SHOULD NOT send the Early-Data field")?
b) I am probably missing something here: "A server cannot make a request
that contains the Early-Data header field safe for processing by waiting
for the handshake to complete" - if the origin server always wait for
successful TLS handshake completion, why would it not be safe to process
the early data at that point?
Nits:
- Section 2, first sentence: Insert "data" after "application"
- In Section 3, step 3, it is stated that: "If the server receives multiple
requests in early data, it can determine whether to defer HTTP processing
on a per-request basis," however, in Section 4, it is stated that: "Note
that a server cannot choose to selectively reject early data at the TLS
layer. TLS only permits a server to accept all early data, or none of it" -
I guess this may be consistent (it will accept all data, but can
selectively defer processing), but it is a bit confusing.
- The attack in Section 4 is outlined as follows: "An attacker sends early
data to one server instance that accepts and processes the early data, but
allows that connection to proceed no further. The attacker then forwards
the same messages from the client to another server instance that will
reject early data. The client then retries the request, resulting in the
request being processed twice."
This seems a little convoluted - how would the attacker know, before the
client has sent the first message, that it is what the client will send? Is
the attacker's first message to a server instance intercepted from the
client? If so, suggest making that clear.
Thanks,
-- Magnus
- [secdir] Secdir review of draft-ietf-httpbis-repl… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-httpbis-… Willy Tarreau
- Re: [secdir] Secdir review of draft-ietf-httpbis-… Martin Thomson
- Re: [secdir] Secdir review of draft-ietf-httpbis-… Magnus Nyström