Re: [TLS] Connection diversion to other subdomains
Matt McCutchen <matt@mattmccutchen.net> Mon, 01 November 2010 04:01 UTC
Return-Path: <matt@mattmccutchen.net>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0B0CE3A67A7 for <tls@core3.amsl.com>; Sun, 31 Oct 2010 21:01:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sx-zck+4jDBA for <tls@core3.amsl.com>; Sun, 31 Oct 2010 21:01:48 -0700 (PDT)
Received: from homiemail-a4.g.dreamhost.com (caiajhbdccah.dreamhost.com [208.97.132.207]) by core3.amsl.com (Postfix) with ESMTP id 26DE33A6825 for <tls@ietf.org>; Sun, 31 Oct 2010 21:01:48 -0700 (PDT)
Received: from homiemail-a4.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a4.g.dreamhost.com (Postfix) with ESMTP id 7A27B51C06C for <tls@ietf.org>; Sun, 31 Oct 2010 21:01:48 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mattmccutchen.net; h=subject:from :to:in-reply-to:references:content-type:date:message-id :mime-version:content-transfer-encoding; q=dns; s= mattmccutchen.net; b=CsZwindktVrvpDIx+y7AAuU3ga6Na5oq0/altReGJ0X X//bFBXSOCdz7Li52uxC91a0OH7FwAPdIYiTGzy7XPCHrBWJKV/oAj+M3QtD+W19 j64Gv+K8Sez1pJIU9d4Pki5JuTgW2601cP5OsM/dmwqCtJeKrp7BvO3t2qjrj6NY =
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mattmccutchen.net; h= subject:from:to:in-reply-to:references:content-type:date :message-id:mime-version:content-transfer-encoding; s= mattmccutchen.net; bh=WvGjcqIXM55ailUgmTXGi6lm8cg=; b=GsdNjEMZmj mnFbH6Ly4Ca28sVT6Kke+8V4gft4qo3NI+V7rLqPGPfOkV0nHWYI2x4nmpzhzLZU NorPEYKhm8poiXMniQiX846wXMBGoMZ/jIoYmjTZco0CJhD2EWvNDOGNk06h+jSx 6U0+O+iXIJIyx6RCZVs/h81KGImZ0C5T8=
Received: from [129.2.249.209] (ml2.student.umd.edu [129.2.249.209]) (Authenticated sender: matt@mattmccutchen.net) by homiemail-a4.g.dreamhost.com (Postfix) with ESMTPA id 47E4951C063 for <tls@ietf.org>; Sun, 31 Oct 2010 21:01:48 -0700 (PDT)
From: Matt McCutchen <matt@mattmccutchen.net>
To: IETF TLS WG <tls@ietf.org>
In-Reply-To: <1288582952.6095.25.camel@mattlaptop2.local>
References: <gfuk1zfabvh7hh552nJYNxe982v3j_gmsm@mail.gmail.com> <1288582952.6095.25.camel@mattlaptop2.local>
Content-Type: text/plain; charset="UTF-8"
Date: Mon, 01 Nov 2010 00:01:41 -0400
Message-ID: <1288584101.6095.39.camel@mattlaptop2.local>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.4
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Connection diversion to other subdomains
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Nov 2010 04:01:49 -0000
On Sun, 2010-10-31 at 23:42 -0400, Matt McCutchen wrote: > If a web server gets a request over TLS with a Host header that doesn't > match any of the sites it is supposed to serve, it should return an HTTP > error instead of serving content from some "default" site. Ideally, the > error should not convey false information about the real server (e.g., > 404 would be bad). There's no error code that exactly fits the > situation; 400, 403, and 503 are decent. I just noticed that RFC 2616 section 5.2 prescribes the use of error 400 (Bad Request) for wrong Host headers. But I'm uneasy about the use of error 400 because it suggests that the client is at fault, which isn't true if an attacker diverted the connection. In general, a network attacker cannot cause an HTTP request over TLS to complete with a different HTTP-level outcome than it should; there is just this one stupid case where several different servers are authorized and willing to take the request. It would be much better to catch connection diversion at the TLS level, like any other network shenanigans. -- Matt
- Re: [TLS] Connection diversion to other subdomains aerowolf
- Re: [TLS] Connection diversion to other subdomains Matt McCutchen
- Re: [TLS] Connection diversion to other subdomains Matt McCutchen
- Re: [TLS] Connection diversion to other subdomains Jeffrey A. Williams
- Re: [TLS] Connection diversion to other subdomains Matt McCutchen