IETF Logo Mail Archive

Re: [TLS] Request mTLS Flag

Jonathan Hoyland <jonathan.hoyland@gmail.com> Mon, 23 October 2023 16:51 UTC

Return-Path: <jonathan.hoyland@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB97EC17C516 for <tls@ietfa.amsl.com>; Mon, 23 Oct 2023 09:51:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AZknNJY9qj25 for <tls@ietfa.amsl.com>; Mon, 23 Oct 2023 09:51:34 -0700 (PDT)
Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com [IPv6:2607:f8b0:4864:20::433]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE293C16F41C for <tls@ietf.org>; Mon, 23 Oct 2023 09:51:12 -0700 (PDT)
Received: by mail-pf1-x433.google.com with SMTP id d2e1a72fcca58-6ba54c3ed97so3396542b3a.2 for <tls@ietf.org>; Mon, 23 Oct 2023 09:51:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698079872; x=1698684672; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=vdSeRZh+j7+9Rq30LGNy3LGOPJTDBzqDgm+x8ycdtdU=; b=ehArDEXShrcFDZtuCWpRYgbsIYPlZ3v2fYGpm7C3g64/5cH5IGGdYgDZmAD4aiAhuS HI7+TQ2oEJySv0oevU7rTHEb3l4WH9kB74J92Mye90x/NBJ9otfnsv9Jbj8kDPxk3ifv X8Sc492SqKoF5ZwYP+YzbIGDY5EBu9ZZmMHNuLmg8UerZjNPJd0awjajiHD1I52dHbMs N/bRTp70Jj6cilYHKfT0WEkdZghVPn88OgwD4BKy4VsRRvm7kQiidDBt9yz2Myp5wtKm eAE0jJaJwU9ZUlRx/R4R4lcAXipxP6GpUswV8WuW2qWgmTeFaYn6EAVBNG5xwsmfi03Z ZfBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698079872; x=1698684672; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=vdSeRZh+j7+9Rq30LGNy3LGOPJTDBzqDgm+x8ycdtdU=; b=eu7Jct33BkixFVfs9fPwxVtxpbZDfhdcV1AJ/edrtT6hfhS/AAl+AZcUDp8XWPv5DN eQZ4ue7S8NM8+ReeQzglq8itI/78DVI9hwVowX3mFVfiB/G+E9IzAuZyn+Oker9xV8PU w+NGSRjmySDAUsLL/NyZZVTpHzA7TY93xH2ks1qFgVqZmA+i5fiupMFpVOWtbFIiaPig mcpshb43Bire31uB6MGCgGR0eTq5bCYTZQdFvj4vBGza8uw6NmDwTxh2Slb4XhkjQqkC GpP2dsKdCES/KLGWlCbCsv8l2DfblYohF1EB3EpqysJVXiwt4oz6fTT+t7BHRU5ooiYr G9Wg==
X-Gm-Message-State: AOJu0YyTFHbixGnmKk42jz9XiKINAwj+pc9QveWwcP7/x0mtW+L09Xz2 6pJnGHARx1dIHPeZt1LfjIewWwwOQkQsWihxpripIAWWs+Y=
X-Google-Smtp-Source: AGHT+IHdNFtQy3zu+PiS8+wpNM2CsuYtNkZNW/THK8QiYVmLlnXFfvuoRULzIVoMpTSBNXPYtkEdo9zlS48sf46V78M=
X-Received: by 2002:a05:6a21:4842:b0:16a:4480:647f with SMTP id au2-20020a056a21484200b0016a4480647fmr140762pzc.19.1698079871863; Mon, 23 Oct 2023 09:51:11 -0700 (PDT)
MIME-Version: 1.0
References: <CACykbs3TMM6W_K2zHnOjPwuuhxa8ZUnSz2BqvgSGfEpNs71Edg@mail.gmail.com> <CAF8qwaDc_Moj_mXJHqRxzi995eA8T3uFNJmvHCfDboq5LG42mA@mail.gmail.com> <CACykbs2hMVgR=AoA1yXmnAn3Knuy_B9NgCvjRvc6xd5YKYby-Q@mail.gmail.com> <CAF8qwaAb98Ck8A+t=prVfMyAMWU7iTES-zXP2RyhpdJz-WjAVg@mail.gmail.com>
In-Reply-To: <CAF8qwaAb98Ck8A+t=prVfMyAMWU7iTES-zXP2RyhpdJz-WjAVg@mail.gmail.com>
From: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Date: Mon, 23 Oct 2023 17:50:59 +0100
Message-ID: <CACykbs22hY+Qgh_=eRQBXVNFo+a+qkL=-MZE+hK53fSJZR=5Yw@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000090143a060865078e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DvpLaIZTnOzfjzdEqmnmyylCzao>
Subject: Re: [TLS] Request mTLS Flag
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2023 16:51:38 -0000

Hi David,

On Mon, 23 Oct 2023, 17:26 David Benjamin, <davidben@chromium.org> wrote:

> > So in my mind this is something that will (almost) never be sent by
> browsers.
>
> What cases would the "(almost)" kick in? This extensions model just
> doesn't match how client certificates work in browsers. I'm not seeing any
> interpretation beyond "always send" or "never send".
>

So I was thinking about a case where you're behind some TLS terminating
proxy. Assuming the proxy requires mTLS for every connection and the
middlebox wants to treat misconfigured boxes differently, maybe you would
use something like this.
I would have said never,  but never say never, right?

>
> > For example identifying a web crawler, and either allowing or
> disallowing it.
>
> I'm not following how this identifies web crawlers, unless perhaps we're
> using the term to mean different things? I would expect web crawlers to
> typically not do much with client certificates, and to typically *want* to
> index the web in the same way that humans with web browsers see it.
>

So typically web crawlers don't use mTLS, they rely on things like
publishing their IP range for auth, which isn't a great signal.

If we could reliably identify e.g. GoogleBot then we could skip some of our
bot detection systems for definitely-allowed traffic, allowing us to be
stricter with unknown traffic, or of course, explicitly-disallowed traffic.

There is an argument that one could show bots different results to humans,
but given that this is explicitly aimed at bots that we approve, I don't
see the incentive. Maybe improved TTFB or something?


> > I don't think this leaks more info than a dedicated endpoint (even
> accounting for ECH), and from a security perspective is just a hint.
>
> The difference is the dedicated endpoint case only kicks in once you are
> actually talking to a site that is deployed that way. A ClientHello flag
> would likely be sent unconditionally, because it's too early to condition
> it on much.
>

So in my mind this is sent by a bot that is crawling the entire web. It's
automated (as opposed to human triggered), and this is an optional hint, so
it doesn't matter if there's a privacy leak in that way. (Although that's
an interesting thought, do bots have a need for privacy?)

Regards,

Jonathan



> On Mon, Oct 23, 2023 at 11:58 AM Jonathan Hoyland <
> jonathan.hoyland@gmail.com> wrote:
>
>> Hi David,
>>
>> So in my mind this is something that will (almost) never be sent by
>> browsers.
>>
>> This is aimed at bots, both internal and external. For example
>> identifying a web crawler, and either allowing or disallowing it.
>>
>> Currently we identify many bots by IP range and user agent (and a bunch
>> of ML), which isn't always reliable.
>>
>> The web crawler case is where the dedicated endpoint falls over, because
>> crawlers are indexing the human visible web.
>>
>> I don't think this leaks more info than a dedicated endpoint (even
>> accounting for ECH), and from a security perspective is just a hint.
>>
>>
>> Regards,
>>
>> Jonathan
>>
>>
>> On Mon, 23 Oct 2023, 16:36 David Benjamin, <davidben@chromium.org> wrote:
>>
>>> Would you expect a browser user to send this flag? On the browser side,
>>> we don't know until the CertificateRequest whether a client certificate is
>>> configured. We have to do a moderately expensive query, dependent on
>>> information on the CertificateRequest of the OS's cert and key stores to
>>> get this information. This query may even call into things like 3p
>>> smartcard drivers, which may do arbitrarily disruptive things like showing
>>> UI.
>>>
>>> And if we could somehow predict this information, this would leak into
>>> the cleartext ClientHello when, starting TLS 1.3, the whole client
>>> certificate flow is in the encrypted portion of the handshake.
>>>
>>> So, practically speaking, I don't think browsers could do anything
>>> meaningful with this extension. We'd either always send it, on grounds that
>>> we have code to rummage for client certs on request, or never send it on
>>> grounds that we're not preconfigured with a client cert at the time of
>>> ClientHello. Either way, it seems likely to interfere with someone's
>>> assumptions here.
>>>
>>> The dedicated endpoint strategy seems more straightforward.
>>>
>>> David
>>>
>>>
>>> On Mon, Oct 23, 2023, 11:22 Jonathan Hoyland <jonathan.hoyland@gmail.com>
>>> wrote:
>>>
>>>> Hey TLSWG,
>>>>
>>>> I've just posted a new draft
>>>> <https://www.ietf.org/archive/id/draft-jhoyla-req-mtls-flag-00.html>
>>>> that defines a TLS Flag
>>>> <https://www.ietf.org/archive/id/draft-ietf-tls-tlsflags-12.html> that
>>>> provides a hint to the server that the client supports mTLS / is configured
>>>> with a client certificate.
>>>>
>>>> Usually the server has no way to know in advance whether a given
>>>> inbound connection is from a client with a certificate. If the server
>>>> unexpectedly requests a certificate from a human user, most users wouldn’t
>>>> know what to do. To avoid this many servers never send the
>>>> CertificateRequest message in the server’s first flight, or set up
>>>> dedicated endpoints used only by bots. If client authentication is
>>>> necessary it can be negotiated later using a higher layer either through
>>>> post-handshake auth or with an Exported Authenticator, but both of those
>>>> options add round trips to the connection.
>>>>
>>>> At Cloudflare we’re exploring ways to quickly identify clients. Having
>>>> an explicit signal from the client that it has an mTLS certificate on offer
>>>> reduces round-trips to find out, avoids unnecessarily probing clients that
>>>> have no certificate, etc. I think this would be an ideal use case for the
>>>> TLS Flags extension.
>>>>
>>>> I have a pair of interoperable implementations (one based on boringssl
>>>> and one based on Go TLS) which I plan to open source before Prague.
>>>> Obviously these include implementations of the TLS Flags extension, which
>>>> hopefully will help drive that work forward too.
>>>>
>>>> Regards,
>>>>
>>>> Jonathan
>>>> _______________________________________________
>>>> TLS mailing list
>>>> TLS@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/tls
>>>>
>>>>

v2.23.0 | Report a Bug | By Email