Re: [TLS] Last Call: RFC 2818 (HTTP Over TLS) to Proposed Standard

Eric Rescorla <ekr@rtfm.com> Fri, 01 June 2012 21:59 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D715A21F887D for <tls@ietfa.amsl.com>; Fri, 1 Jun 2012 14:59:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.91
X-Spam-Level:
X-Spam-Status: No, score=-102.91 tagged_above=-999 required=5 tests=[AWL=-0.067, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTTP_ESCAPED_HOST=0.134, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r3z+rego6LYI for <tls@ietfa.amsl.com>; Fri, 1 Jun 2012 14:59:34 -0700 (PDT)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 2A91B21F887C for <tls@ietf.org>; Fri, 1 Jun 2012 14:59:34 -0700 (PDT)
Received: by vbbez10 with SMTP id ez10so1762284vbb.31 for <tls@ietf.org>; Fri, 01 Jun 2012 14:59:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding :x-gm-message-state; bh=pXDufyz1I9kxuzzZn1vTQl3hC4KzrnJ0H9oUWvMUxOY=; b=OudtDd1eWpyHg3TOK4cGjtOCi7O7TNWZbBYbpqr1mG4TJWF1bz9oABa09hmUrc4ZSQ KVNZhZ1o1aICxnuDLTNGfQVFu00QCD1GExGpmxYTEXDaDh2ukb93G1y7EX5D15AooFbv 8tpfy5vnoenit0+mweWIdZJ3fYYfxMIcFw4EZvJ11Ef0IzkFk5fa+ccregH/P8BmLhGT llP5QfdRIM0U7rp+WcN+vKT/JJt+U0SHKMIBA2OTciRTDDu+nd3L7pNVchkV1GfiYCJm 9dUUvCUMhIg2HjYVSl5pf+v+0LljLA58bWMXnq355csMP9/FFgZI1VkDtEH3BXMdYG+G vzog==
Received: by 10.52.88.170 with SMTP id bh10mr944326vdb.11.1338587973579; Fri, 01 Jun 2012 14:59:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.35.209 with HTTP; Fri, 1 Jun 2012 14:58:53 -0700 (PDT)
X-Originating-IP: [63.245.220.224]
In-Reply-To: <m2wr3qya40.fsf@localhost.localdomain>
References: <20120601164205.25357.54620.idtracker@ietfa.amsl.com> <4FC8F1AF.2040409@stpeter.im> <CABcZeBN4rwJuL8_vvYfPZJyE_WU_+tmSzLf2njPeqx0Ewgx64g@mail.gmail.com> <op.we8nss1yqrq7tp@acorna.invalid.invalid> <CABcZeBMFAXeXBK1Cs5jnvbTmJms7NUqhrmJd4x2N2DxedQUk=A@mail.gmail.com> <m21ulyzr92.fsf@localhost.localdomain> <CABcZeBP6j6sfPs-1xB7ijAVU1HQNZfY8c2Zk3_O7j0fkgQK0xw@mail.gmail.com> <m2wr3qya40.fsf@localhost.localdomain>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 01 Jun 2012 14:58:53 -0700
Message-ID: <CABcZeBMfa++rwDfP5JJxC-qDvkZOTXpPAX_taEUzkPVwaUFKuA@mail.gmail.com>
To: Geoffrey Keating <geoffk@geoffk.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQnsNIbj89Uvi23IKKqKygkIIg2+R46XQGA7qc1ILUojBr9jg0PzZCAjHaJXukBL8mDLOCXu
Cc: tls@ietf.org
Subject: Re: [TLS] Last Call: RFC 2818 (HTTP Over TLS) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jun 2012 21:59:34 -0000

On Fri, Jun 1, 2012 at 2:51 PM, Geoffrey Keating <geoffk@geoffk.org> wrote:
> Eric Rescorla <ekr@rtfm.com> writes:
>
>> On Fri, Jun 1, 2012 at 1:55 PM, Geoffrey Keating <geoffk@geoffk.org> wrote:
>> > Eric Rescorla <ekr@rtfm.com> writes:
>> >
>> >> On Fri, Jun 1, 2012 at 12:15 PM, Yngve N. Pettersen (Developer Opera
>> >> Software ASA) <yngve@opera.com> wrote:
>> >> > - Update sec. 3.1 to use RFC 6125 for the server identity.
>> >>
>> >> I'm not sure I agree with this. 2818 is intended to document HTTPS client
>> >> behavior. This may or may not be what we recommend for other protocols
>> >> (and indeed, the terms under which 6125 was approved included that
>> >> it not override 2818 for HTTPS).
>> >
>> > One substantive change here is that instead of "MUST" for using the
>> > commonName field, it would become "MAY".  I think this is an
>> > appropriate change, especially given that clients will not always
>> > accept the commonName field (for example, if it contains spaces, or if
>> > it isn't in DNS 'preferred name syntax',
>>
>> I'm not sure I follow this. If the CN isn't a valid domain name, then
>> won't it fail to match the DNS name it is intended to match?
>> What am I missing?
>
> Suppose you have a cookie for ".example.com" which I'd like to steal.
> I MITM you but you're using SSL and the cookie is marked as 'secure'
> so I can't just grab it.  I manage to acquire a valid e-mail
> certificate with a common name of "somename@mail.example.com".  Now I
> fake your DNS so that 'somename@mail.example.com' appears to be a valid
> hostname (that is, I cause your DNS request to return an A record for
> 'somename@mail' in the domain 'example.com') pointing at my server, and
> wait for you to open a non-TLS web page, in which I inject HTML which
> includes a frame or an image from
> 'https://somename%40mail.example.com/somefile'.  The cookie will be sent
> as part of this request, and it'll be sent to my server.
>
> The name 'somename@mail' is not in the 'preferred name syntax' but DNS
> will quite happily serve it---DNS labels are 8-bit strings that can
> even contain NUL characters.

OK, I see the issue. I do wonder how a browser would actually behave in this
case. I.e., I would hope that it would either parse this as
https://mail.example.com/
with a username of somename or alternately expect that the certificate contain
the %40, but regardless I agree it's not great.


> Another approach is that I could get a certificate with a common name
> of 'Some Name'.  If your DNS search path is set to include
> 'example.com' (or if I can force this by controlling your DHCP), I
> might be able to do the same thing with a URL of
> 'https://Some%20Name/somefile'.

Wouldn't this be an issue with or without a space? I.e., I get a certificate
with CN "foo" and then serve https://foo/?

-Ekr