Re: [secdir] Secdir review of draft-ietf-httpbis-replay
Martin Thomson <martin.thomson@gmail.com> Thu, 03 May 2018 01:51 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9F9812D77B; Wed, 2 May 2018 18:51:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g0bObDjrCawP; Wed, 2 May 2018 18:51:44 -0700 (PDT)
Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17507127599; Wed, 2 May 2018 18:51:44 -0700 (PDT)
Received: by mail-oi0-x231.google.com with SMTP id a6-v6so14755676oia.2; Wed, 02 May 2018 18:51:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hpdUd5PIphGcuTbHTBxkFuVaAjWcT2y0Yt4r2Vy1/0k=; b=k6ozn14GRJxmASVztdX7nydw5EYmDep30IuGjvQn3+CT3OCWTYbGPAtTLwVEn0DUSU y67WtdArltaFhFkcQHBPX0JPaHsgMArHmTrSakWkR/5PzseipJ+GP/QFeon2MK7LcJ3X xXCgbKsDwjFenTR+IIRJwgYMvKUiKkm/L5D84i3ElyVfjKSs+e2ZSJWoi9jCHJhNWYXq HBrsXZs2DTSnu84s+IHDKB2KkCtDUN+aI40ytPxaUIW2pmf959cz3uOiVqclLCyJ65T1 solwuj0SLbppvvutKvg8je0jKzkHo8QX2hLW4VpQIFsoochDm7j87SFMhc7Npdx/wk7Q IZ9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hpdUd5PIphGcuTbHTBxkFuVaAjWcT2y0Yt4r2Vy1/0k=; b=JfHwUKc4M6ltePfYZacji0PYsZsBK2uR2Vnjr/I7VA+X6cLN+x6En6a/MfKkHEV13t tBb35pp2gSdHIwqE+AVnoFM0nbloVeDyGNGIeUJa1eMJXpOcsHU+HA/yZ49+PsuEuLbp /9Ph4OLaKYLk3o5yLipf+VEkquQIUxiJQjdiLAH0YFrz8ORmpecWWy4RQlFLyPMoip6X tNckfSR7sHccKqpj5sPQtIZjR8vYjx49/po6v+fuXn3aKgB7PhSh5y5UgEzGb1WYa61T hB+zKrIhxpeXDT50O9X/W6JX9FQdpD07ORARZCJDqdd5fymwEtQmWsWkWfPmphhz8kw/ hF+Q==
X-Gm-Message-State: ALQs6tC7NKAwkeH1LkuCcDrLV+gIwxtQcQ+3unOgIsbqffVn59aXwwLK UPrgRlKUnvM9Ndfnv/0WgbyY0M8NFPyBCQnZBfc=
X-Google-Smtp-Source: AB8JxZpalFxY4EoBCmVA8gU57rODAGGa7iAwvUFt2TleteGTK6lbMArw1bjQlnTfoHDEudYYeNdtUi6AlvBZ6Ps4Xj4=
X-Received: by 2002:aca:ebd4:: with SMTP id j203-v6mr14518268oih.110.1525312303267; Wed, 02 May 2018 18:51:43 -0700 (PDT)
MIME-Version: 1.0
References: <CADajj4a1TCqksCoUSWraM+H9Nft0nD5Mu9u38-u-c4jugUKTPQ@mail.gmail.com> <20180502064035.GA12016@1wt.eu>
In-Reply-To: <20180502064035.GA12016@1wt.eu>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 03 May 2018 01:51:32 +0000
Message-ID: <CABkgnnVRX3ZkSE=fxsRUvCOyV8VT3cG2kAMVtf6X85DGGkB3fw@mail.gmail.com>
To: Willy Tarreau <w@1wt.eu>
Cc: Magnus Nyström <magnusn@gmail.com>, secdir@ietf.org, draft-ietf-httpbis-replay@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/cvVqvJvYHvjEuXM7L-D5e3f1Or8>
Subject: Re: [secdir] Secdir review of draft-ietf-httpbis-replay
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 May 2018 01:51:49 -0000
Yes, thanks Magnus,
I think that Willy answered the primary concerns. I'm not sure that there
is anything actionable in those, but if you have a suggestion for
improvement, that would be appreciated.
> > - Section 2, first sentence: Insert "data" after "application"
This is fixed in the editor's copy (long story there, but the draft you
reviewed was *slightly* out of date).
> > - In Section 3, step 3, it is stated that: "If the server receives
multiple
> > requests in early data, it can determine whether to defer HTTP
processing
> > on a per-request basis," however, in Section 4, it is stated that: "Note
> > that a server cannot choose to selectively reject early data at the TLS
> > layer. TLS only permits a server to accept all early data, or none of
it" -
> > I guess this may be consistent (it will accept all data, but can
> > selectively defer processing), but it is a bit confusing.
> Probably that we need to refine the wording. The point in section 3 was
> to make it clear that early data may affect multiple requests (pipelining,
> HTTP/2 multiplexing), and point 4 tries to clarify the fact that the TLS
> layer provides you a data stream, part of which was received as early
> data, and that the server has no choice but to consume them all or reject
> them all.
When I went to look at this, I noticed that we don't really explain that
rejecting 0-RTT is possible. That's an important option, even if it is
pretty severely limited.
So I added that:
2. The server can reject early data. A server cannot selectively
reject early data, so this results in all requests sent in early
data being discarded.
Full change at: https://github.com/httpwg/http-extensions/pull/602
In doing so, I think that the context needed to interpret step 3 (now step
4) is available.
> > - The attack in Section 4 is outlined as follows: "An attacker sends
early
> > data to one server instance that accepts and processes the early data,
but
> > allows that connection to proceed no further. The attacker then forwards
> > the same messages from the client to another server instance that will
> > reject early data. The client then retries the request, resulting in the
> > request being processed twice."
> > This seems a little convoluted - how would the attacker know, before the
> > client has sent the first message, that it is what the client will
send? Is
> > the attacker's first message to a server instance intercepted from the
> > client? If so, suggest making that clear.
> Indeed, that was based on intercepted and replayed traffic. With an
> individual hat, I agree that the example is a bit conflated. But the
> point here was mostly to expose the risks that could happen by lazy
> implementations that would take some shortcuts (like automatically
> retrying on timeout for a client or a server accepting to process
> unsafe early-data requests).
Yeah, maybe this alternative is better:
Automatic retry creates the potential for a replay attack. An
attacker intercepts a connection that uses early data and copies the
early data to another server instance. The second server instance
accepts and processes the early data. The attacker then allows the
original connection to complete. Even if the early data is detected
as a duplicate and rejected, the first server instance might allow
the connection to complete. If the client then retries requests that
were sent in early data, the request will be processed twice.
Details at: https://github.com/httpwg/http-extensions/pull/603
- [secdir] Secdir review of draft-ietf-httpbis-repl… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-httpbis-… Willy Tarreau
- Re: [secdir] Secdir review of draft-ietf-httpbis-… Martin Thomson
- Re: [secdir] Secdir review of draft-ietf-httpbis-… Magnus Nyström