Re: [secdir] [websec] Fwd: SecDir review of draft-williams-websec-session-continue-prob-00

Ben Laurie <benl@google.com> Thu, 07 February 2013 08:10 UTC

Return-Path: <benl@google.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A90B21F8901 for <secdir@ietfa.amsl.com>; Thu, 7 Feb 2013 00:10:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.978
X-Spam-Level:
X-Spam-Status: No, score=-101.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W+2ZS+dp26hL for <secdir@ietfa.amsl.com>; Thu, 7 Feb 2013 00:10:49 -0800 (PST)
Received: from mail-ia0-x22b.google.com (mail-ia0-x22b.google.com [IPv6:2607:f8b0:4001:c02::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 99B6521F886A for <secdir@ietf.org>; Thu, 7 Feb 2013 00:10:49 -0800 (PST)
Received: by mail-ia0-f171.google.com with SMTP id z13so2668684iaz.16 for <secdir@ietf.org>; Thu, 07 Feb 2013 00:10:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=raX0uomONUI3tL+8LJjB7OsIyYVTqyMwXKPY73uR4nk=; b=gyLYsH2mQnX8vKX6nQkzv7T+sICUi1ZADsifpiV26e87m6UC478XxSt8YsV/Rehr5A /eIQs8cjbtVs/iVXRKpi7Eb3lmyathAe/O8yINTL8QgsvDWYfXZeztqMuBR4iu3X8Xp5 cUF8lEnKKC6gc9Ub9XwhQylvZEgZlciJFSVLGQOUyldTbeHAInR0NV03dn2hLWPmAjyO Jg3yAebwtSaPAm5DrE/1mLK3ZZ9nu/eNzI+o2SanTFAE3RjfgfDea10nqmunM62p7qrd gPfufmMx47NNyc58JPWinXb6suaDyOeDtR51OwIHdNdTdzfusE8IDJ4/tIoXdJJoSH4m Dkqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=raX0uomONUI3tL+8LJjB7OsIyYVTqyMwXKPY73uR4nk=; b=aEQRyvPUi7LebYqKwVX5kA6cNdsrGbZ6MD3Aw4e38ZUWeHV2bKWZimW/8CEbhiqj6d 8HckxexZV6ra1qTg7ilm62a6Y5QTYPD+6nY6M4YljINIkdvAO8iUD872Y+nVjdZ0rjnT EGImFtFRN7DPs36BkhVy4IF5/m27NNwD+5h0nnGgmZKkJs14rxT5bXRYuFjkMEXVsXQX voLKPhUNlxLTVVMSuwPFv9L5/ITUiwwuc2B9j/hx6crd3R9uTyaYv8JBe1RqJFUXCZ+/ NSupgDJlbkj3LKx8K/eqN/UBRwVz5eLThtrDh+HEk7gQMpwd88veXW3XOEGcbSHh5iLF CwFg==
MIME-Version: 1.0
X-Received: by 10.50.222.195 with SMTP id qo3mr881823igc.14.1360224649093; Thu, 07 Feb 2013 00:10:49 -0800 (PST)
Received: by 10.64.5.168 with HTTP; Thu, 7 Feb 2013 00:10:48 -0800 (PST)
In-Reply-To: <4613980CFC78314ABFD7F85CC30277211199DCC1@IL-EX10.ad.checkpoint.com>
References: <CABrd9SR0-RTAWnK_g3N8cPStcQfMcFn-8Eq=Ny6xiADYY3NR+w@mail.gmail.com> <4613980CFC78314ABFD7F85CC30277211199DCC1@IL-EX10.ad.checkpoint.com>
Date: Thu, 7 Feb 2013 08:10:48 +0000
Message-ID: <CABrd9SRk4HrGwnMvEDf+cx6gEaiAnr0js8bAY9b5VW+xpaDgbA@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Yoav Nir <ynir@checkpoint.com>, "secdir@ietf.org" <secdir@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQkqEOdwPSEOEJV58mH/mfGrXtsS0Zm3RRd36rgYQc0hCPvjImYiw/pgwt73Vmwkb7FsN0Cri11MZ73Fa4bFLtuDEQQ+GUt5TtqnwLo7Kytpdkdzgo+dAxA5pJIq0UX7aCXNvJnGCmkZMgxrWkEBUk7YbuDnUV+q6PA6estnSp068V0zlZ3FJesIzXkbufhkdr6vjXZC
Cc: "ietf-websec-sessions@googlegroups.com" <ietf-websec-sessions@googlegroups.com>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [secdir] [websec] Fwd: SecDir review of draft-williams-websec-session-continue-prob-00
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2013 08:10:50 -0000

On 7 February 2013 07:46, Yoav Nir <ynir@checkpoint.com> wrote (that I wrote):
> " 10. Must work across all types of proxies. Proxies that can modify
>
>        the plaintext HTTP requests and responses can (but should not)
>        interfere with any session continuation protocol."
>
> A man-in-the-middle is a type of proxy, so this seems like an
> unsatisfiable requirement.

Actually, that's not quite right. Protocols can work across a proxy,
but what's required is that the proxy does not gain the ability to
pretend to be one of the endpoints.

If you satisfy this, then a MitM can snoop, but can't masquerade.

But this seems to impose quite a strong constraint on the protocol: in
particular, future traffic must somehow be bound to the (end-to-end)
session continuation.