IETF Logo Mail Archive

Re: [TLS] New Version Notification for draft-friel-tls-over-http-00.txt

Ben Schwartz <bemasc@google.com> Tue, 31 October 2017 21:16 UTC

Return-Path: <bemasc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA0EE13F71E for <tls@ietfa.amsl.com>; Tue, 31 Oct 2017 14:16:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wBq6H0_7hpcf for <tls@ietfa.amsl.com>; Tue, 31 Oct 2017 14:16:55 -0700 (PDT)
Received: from mail-vk0-x22e.google.com (mail-vk0-x22e.google.com [IPv6:2607:f8b0:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08A1E13F733 for <tls@ietf.org>; Tue, 31 Oct 2017 14:16:53 -0700 (PDT)
Received: by mail-vk0-x22e.google.com with SMTP id g69so241343vke.5 for <tls@ietf.org>; Tue, 31 Oct 2017 14:16:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4QFax/N1gaaGVxgQ8/1iPY19DUfgMhYL1XvY2XKyw5c=; b=g/8+R4qI8U5PXHXr5SuK4acKo/P3st4Q4pnomeAkScxuLu0+Q0RoOmj4coavRs2FDo St0SYxWxwsrpkUYnFWazXk2W/2yj6q8XvE3dbpamUaJxCaDi7ozI1iytxg9SLM2YsOxc 5cvMFSq3dwMV/8cg2J5fpviqpc9gy0ood/Jqlq5iwD4LYW2hven1zYyLZBJg5smcS+Uq /3bTwa54pJQueKLpW2zw4OaOJ7GGVLC7ma4geJkLjprzHXGNfaHqLo2oRJ9v5JO8tOyx Fv/09PvCNvIjtCTDOsU99jSzj70i6Y1FeYvsnE3TSue7JNlJzbAzrb6R4Nion2fdo4xG h2oA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4QFax/N1gaaGVxgQ8/1iPY19DUfgMhYL1XvY2XKyw5c=; b=m6FEmVC5nAxqR8bDvs9ZcUxpAb/UQU9dX/8OEAXJth86Jut5dzS3PYwsDZXHnQYewq HObT3n9rJ0imiJOhuKZN6jSHqvL1UNZ2JwQfQHpKponipPnoFeDXXTMOZe4W1JfMtOrr 02queZBdzzWHhNr6zfPwyq2eLs7rjrD/cnBoHqXm3cwU/pUY0zkvkbX0oIEDk1I2qjLq luV647/kPlPQPpV2oNPhU/ganRVKDWHJbRZL5bVsei+YS3whguVRZaN3Ke9nS0IZ8Jzp 1tbhKfwb3kpL88cPStpb7VYsA5ddpAx+1RtHXThyfgI+yvIuFdtklFpt3Vclfs5xr0YO Rh6g==
X-Gm-Message-State: AMCzsaXRyZ/mt+xTdXLxrcf+pFbjTlp2knTKjw9Nps+du/liTEbWMO6z HPLno8BlmMoS1owrSU3uUBrChlR8Zt23OYWNEPDVlqLChTc=
X-Google-Smtp-Source: ABhQp+TrL0r4C1KCkqv0LbaUoLC0nwguibCZpHdoZiUAj1EidqLv0aHwBigLygOsXxM0jIyGLdXW9g0Vkc28Y2/lBVc=
X-Received: by 10.31.61.8 with SMTP id k8mr2787411vka.171.1509484612240; Tue, 31 Oct 2017 14:16:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.170.145 with HTTP; Tue, 31 Oct 2017 14:16:51 -0700 (PDT)
In-Reply-To: <fddcd65297054fd1b54b05b767bcd474@XCH-RCD-012.cisco.com>
References: <150939282345.7694.10153977158870845060.idtracker@ietfa.amsl.com> <CAL02cgRS715Vc+4_QNDSNBW8LP1f-Rmp0FW9W_pyHHpAnkX7Sg@mail.gmail.com> <CAHbrMsDMdjkffwqE+CeVfHBcU1gnxW3rpOmiitM3fCMyrTye0g@mail.gmail.com> <CAL02cgTwWB_w4+j=8RS=1ZfxNkLE0OeKivrjz33oBamJyD_tbQ@mail.gmail.com> <CAL02cgSBim4HxAkA-_HP3hc_95zsyNdvezmttgkTbs850pPddg@mail.gmail.com> <CAHbrMsAqnTC4jOAuyfyaujNq=ugXCVF4AH4Kp4f==L36e4twrw@mail.gmail.com> <CAL02cgTkaz0zLf+jrFeccD-GPJ+R_evySsLgW+R7F646YLOUkQ@mail.gmail.com> <CAHbrMsDjR6e2+MLepLJbNFxkwy+oQN=0OmMDHeDKYJGknyFo2A@mail.gmail.com> <fddcd65297054fd1b54b05b767bcd474@XCH-RCD-012.cisco.com>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 31 Oct 2017 17:16:51 -0400
Message-ID: <CAHbrMsC+q0TGkWzxGjU_9EJUToQ2Hb404+XkTaoh17n_LV2L4w@mail.gmail.com>
To: "Owen Friel (ofriel)" <ofriel@cisco.com>
Cc: Richard Barnes <rlb@ipv.sx>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="001a114d9bde275e9f055cde462a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/4-1Shmp_V4c2Od-zm3GlXL8h8jU>
Subject: Re: [TLS] New Version Notification for draft-friel-tls-over-http-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Oct 2017 21:16:58 -0000

On Tue, Oct 31, 2017 at 5:03 PM, Owen Friel (ofriel) <ofriel@cisco.com>
wrote:

>
>
>
>
> *From:* TLS [mailto:tls-bounces@ietf.org] *On Behalf Of *Ben Schwartz
> *Sent:* 31 October 2017 01:35
> *To:* Richard Barnes <rlb@ipv.sx>
> *Cc:* <tls@ietf.org> <tls@ietf.org>
> *Subject:* Re: [TLS] New Version Notification for
> draft-friel-tls-over-http-00.txt
>
>
>
> On Mon, Oct 30, 2017 at 7:02 PM, Richard Barnes <rlb@ipv.sx> wrote:
>
> It requires awareness in the following sense: If by chance the client is
> in a nice, open network and the base TLS connection goes directly to the
> server, CONNECT is kind of unnatural; you would want the client to do
> something different in that case.
>
>
>
> Surely this is equally true/untrue of ATLS.  Why do double-TLS if it can
> be avoided?  But then, how does the application know whether to do ATLS
> encapsulation?  It's the same question in both cases.
>
> *[ofriel] The draft does state “*As an optimisation, clients may choose to only use ATLS as a fallback
>
>    mechanism if certificate validation fails on the transport layer TLS
>
>    connection to the service
>
> *”*
>
> *It should be easy for a device to detect the presence of a middlebox if
> the network layer TLS connection presents a service certificate that has
> the expected SAN/CN, but is signed by an unexpected/untrusted CA (i.e. one
> not baked into/explicitly configured on the device).*
>

Yes, but the client could equally well fall back to HTTP CONNECT in this
case.  My comments are all directed to the question of why to use ATLS
instead of an existing solution, such as "TLS over HTTP CONNECT".


>
>
>   You're correct that you *could* configure the server to handle connect
> properly, but all of the options for doing this are kind of cumbersome --
> either you have to stick a possibly-unnecessary proxy in front of the
> server, or handle CONNECT on the server, which is not really well-supported
> by web application frameworks.  By contrast, running data over POST is
> ubiquitous.
>
>
>
> This makes a certain amount of sense to me.  If it were up to me, rather
> than design a TLS-specific transport, I'd be more inclined to propose a
> standardized version of something like Crowbar
> <https://github.com/q3k/crowbar>.
>
> *[ofriel] /me reads. ‘like’ appears to be the operative word here based on
> author comments on https://github.com/q3k/crowbar
> <https://github.com/q3k/crowbar>: “*Crowbar *DOES NOT PROVIDE ANY DATA
> CONFIDENTIALITY**”*
>

Yes, but "TLS over Crowbar" does provide confidentiality, and that is the
alternative to ATLS that I am proposing in this sentence.

(Or just document that reverse proxies and frameworks ought to do something
> reasonable with CONNECT.
>
> *[ofriel] CONNECT would just open a tunnel to get packets through the
> proxy to the service, but would require the proxy to *not* attempt to do
> TLS interception, which is exactly what we are trying to allow. If policy
> dictates that everything must be intercepted, this mechanism enables that.*
>

I don't understand which proxy you're referring to, or how this
distinguishes ATLS from "TLS over HTTP CONNECT".

)  Otherwise this seems to be ossifying the proxy, privileging TLS and
> preventing deployment of Noise protocol <http://noiseprotocol.org/> or
> whatever the future may hold.
>
> *[ofriel] One of the reason for blindly transporting TLS and not in any
> way restricting or customising the TLS records transferred was to be future
> compatible with all future versions of TLS; and also to allow an
> application to leverage a single software library for both network
> transport and application crypto exchanges.*
>

OK, but you can be even more abstracted by simply transporting a
byte-stream, and letting the application developer choose what protocol to
speak in that stream.  This shares even more code between the "network" and
"application" usage of TLS, since they both flow over bytestream
abstractions (no need to expose the TLS record layer).

> It was also pointed to me off-list that you can generate POST requests
> from Javascript in XHR, but not CONNECT requests.  So doing this over POSTs
> also makes it accessible to web apps.  (`emscripten libssl.a` left as an
> exercise to the reader.)
>
>
>
> It seems your threat model assumes an adversary who is an active
> intermediary in your HTTP session.  If so, then this wouldn't seem to
> protect the user against the threat.
>
> *[ofriel] Can you clarify why this doesn’t protect against an active
> intermediary in the HTTP session? Transferring the TLS records payloads in
> HTTP bodies is directly analogous to  transferring TLS records over
> untrusted TCP network transport.*
>

In a "web app", the emscripten-compiled copy of libssl would necessarily be
transmitted over the insecure HTTP connection that also contains ATLS.  An
active intermediary therefore could, for example, replace the library with
a modified version that uses a broken PRNG.


>
>
>
>
>
>
> --Richard
>
>
>
>
>
> On Mon, Oct 30, 2017 at 6:43 PM, Ben Schwartz <bemasc@google.com> wrote:
>
> I don't understand why ATLS allows the app to be less "aware" than HTTP
> CONNECT.  I also don't understand how an ATLS client is closer to "one code
> path" than HTTP CONNECT.  It seems to me that your description of client
> behavior applies equally to ATLS and HTTP CONNECT.
>
>
>
> On Mon, Oct 30, 2017 at 6:38 PM, Richard Barnes <rlb@ipv.sx> wrote:
>
> But I agree, it would be good to have some more clarity around use cases
> and why not other solutions.
>
>
>
> On Mon, Oct 30, 2017 at 6:37 PM, Richard Barnes <rlb@ipv.sx> wrote:
>
> HTTP CONNECT is not great for some use cases because it requires the app
> to be aware that it's dealing with a proxy.  It's simpler if you can just
> have one code path that works whether your TLS is intermediated or not.
> With the solution outlined in the draft, you can just always ignore the
> certificate the server sends in the first TLS connection (because it might
> be from a MitM), and then do all your cert validation, pin checks, etc. at
> the application layer.
>
>
>
> On Mon, Oct 30, 2017 at 6:26 PM, Ben Schwartz <bemasc@google.com> wrote:
>
> Why not use HTTP CONNECT?  Or rather, it would be helpful to have a
> section on when/why one would do this vs. CONNECT.
>
>
>
> On Mon, Oct 30, 2017 at 6:17 PM, Richard Barnes <rlb@ipv.sx> wrote:
>
> Hey TLS folks,
>
>
>
> Owen, Max, and I have been kicking around some ideas for how to make
> secure connections in environments where HTTPS is subject to MitM /
> proxying.
>
>
>
> The below draft lays out a way to tunnel TLS over HTTPS, in hopes of
> creating a channel you could use when you really need things to be private,
> even from the local MitM.
>
>
>
> Feedback obviously very welcome.  Interested in whether folks think this
> is a useful area in which to develop an RFC, and any thoughts on how to do
> this better.
>
>
>
> Thanks,
>
> --Richard
>
>
>
>
>
> On Mon, Oct 30, 2017 at 3:47 PM, <internet-drafts@ietf.org> wrote:
>
>
> A new version of I-D, draft-friel-tls-over-http-00.txt
> has been successfully submitted by Owen Friel and posted to the
> IETF repository.
>
> Name:           draft-friel-tls-over-http
> Revision:       00
> Title:          Application-Layer TLS
> Document date:  2017-10-30
> Group:          Individual Submission
> Pages:          20
> URL:            https://www.ietf.org/internet-drafts/draft-friel-tls-over-
> http-00.txt
> Status:         https://datatracker.ietf.org/
> doc/draft-friel-tls-over-http/
> Htmlized:       https://tools.ietf.org/html/draft-friel-tls-over-http-00
> Htmlized:       https://datatracker.ietf.org/
> doc/html/draft-friel-tls-over-http-00
>
>
> Abstract:
>    Many clients need to establish secure connections to application
>    services but face challenges establishing these connections due to
>    the presence of middleboxes that terminate TLS connections from the
>    client and restablish new TLS connections to the service.  This
>    document defines a mechanism for transporting TLS records in HTTP
>    message bodies between clients and services.  This enables clients
>    and services to establish secure connections using TLS at the
>    application layer, and treat any middleboxes that are intercepting
>    traffic at the network layer as untrusted transport.  In short, this
>    mechanism moves the TLS handshake up the OSI stack to the application
>    layer.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
>
>
>
>
>
>
>
>
>
>
>

v2.23.0 | Report a Bug | By Email