Re: [secdir] Secdir last call review of draft-ietf-jmap-core-12

Tero Kivinen <kivinen@iki.fi> Mon, 07 January 2019 13:18 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9614E130E90; Mon, 7 Jan 2019 05:18:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.421
X-Spam-Level:
X-Spam-Status: No, score=-3.421 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_NEUTRAL=0.779] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fpdoSxIE68DB; Mon, 7 Jan 2019 05:18:01 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37CAB130E46; Mon, 7 Jan 2019 05:18:01 -0800 (PST)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id x07DHpjx010998 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 7 Jan 2019 15:17:51 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id x07DHp4c022960; Mon, 7 Jan 2019 15:17:51 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23603.20862.976183.378013@fireball.acr.fi>
Date: Mon, 7 Jan 2019 15:17:50 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: "Neil Jenkins" <neilj@fastmailteam.com>
Cc: secdir@ietf.org, "Bron Gondwana" <brong@fastmailteam.com>, "IETF JMAP Mailing List" <jmap@ietf.org>, draft-ietf-jmap-core.all@ietf.org, ietf@ietf.org
In-Reply-To: <7beebd38-7999-4a49-b892-c3c75b36eab4@beta.fastmail.com>
References: <154651703823.29557.748556981627156046@ietfa.amsl.com> <cac325d4-e3fd-4dc1-8173-c52192a9ed5e@www.fastmail.com> <7beebd38-7999-4a49-b892-c3c75b36eab4@beta.fastmail.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 89 min
X-Total-Time: 25 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/VswgzY-m1f4-8Xdn7KPlrvXkAQw>
Subject: Re: [secdir] Secdir last call review of draft-ietf-jmap-core-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jan 2019 13:18:05 -0000

Neil Jenkins writes:
> On Sun, 6 Jan 2019, at 9:26 AM, Bron Gondwana wrote:
> 
>     And look at making the push protocol have a confirmation step:
>     https://github.com/jmapio/jmap/issues/276
> 
> I'm not convinced this is necessary and/or helpful. In the current system, the
> first time a push is triggered the application (JMAP) server sends a request to
> the push server (the URL registered by the client); if this is not accepted
> with a reasonable HTTP response, it would automatically disable it. The danger
> is meant to be DOSing this URL (it's not really a push server); however with a
> confirmation step, you still need to do that first request so you're not
> reducing the number of HTTP requests. You are however relying on the push being
> received by the client in order for it to be able to complete registration, and
> all common push services do not guarantee delivery, so this becomes much less
> reliable. (With this in mind, the JMAP push system happily copes with dropped
> push packets while still guaranteeing full resynchronisation.)

Actually I think adding confirmation step will make the push
notifications more reliable, as that will give you positive feedback
that your push notifications do work. It is really annoying trying to
debug which firewall / proxy / encryption is causing the notification
to be blocked, if I need to reregister again for every time and need
to then somehow still cause one push notification to be sent before I
can see does it work. 

> I note this issue doesn't really seem to be specific to JMAP, and yet RFC8030
> (which is what the push system is implementing) does not require a confirmation
> step.

My understanding is that RFC8030 does not connect random urls, the
push notifications are received by client doing GET request to the
subscription server and then later server using server push to that
connection or something like that (in section 6 of the RFC8030).
Usually that is only way things can work, as most of the people are
behind firewalls / NATs / Proxies etc, thus connecting to them from
outside is impossible or hard.

The interaction between UA and the Application server is using
"an application-specific method" which is not described in the
RFC8030:

   An application-specific method is used to distribute the push URI to
   the application server.  Confidentiality protection and application
   server authentication MUST be used to ensure that this URI is not
   disclosed to unauthorized recipients (Section 8.3).

The verification would be inside this application-specific method,
thus it is not covered in the 8030 because of that.

In Jmap case the URL can be anything in the network and server is
assumed to connect to that URL every time something happens. Yes, if
something goes wrong in that url then notifications are disabled, but
if server just answers HTTP ok 200 back, and JMAP server will be
happy to keep sending notifications.

With verification step the amplification factor would be around 1, as
attacker does subscription registration (small packet), JMAP server
sends first notification indication subscription is registed to given
url (small packet), and when JMAP server does not get confirmation
back from the attacker (which most likely cannot see the
notifications), then it will delete subscription.

Attacker can also do 10000 subscriptions to same victim (perhaps using
different URLs, but destioned to same victim). It can do this
overnight, and then on the morning when someone triggers event the
victim will suddenly receive 10000 event notifications
(https-connections) from the well connected JMAP server farm, and will
be completely swamped before it can even respond to any errors to
those notifications.
-- 
kivinen@iki.fi