Re: [TLS] Last Call: draft-ietf-tls-rfc4366-bis (Transport Layer Security (TLS) Extensions: Extension Definitions) to Proposed Standard

Simon Josefsson <simon@josefsson.org> Wed, 23 September 2009 16:12 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 683533A6877; Wed, 23 Sep 2009 09:12:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.485
X-Spam-Level:
X-Spam-Status: No, score=-2.485 tagged_above=-999 required=5 tests=[AWL=0.114, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h1TIsH51f--k; Wed, 23 Sep 2009 09:12:35 -0700 (PDT)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by core3.amsl.com (Postfix) with ESMTP id 459133A680B; Wed, 23 Sep 2009 09:12:35 -0700 (PDT)
Received: from mocca.josefsson.org (c80-216-24-211.bredband.comhem.se [80.216.24.211]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5) with ESMTP id n8NGDW4f032690 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 23 Sep 2009 18:13:37 +0200
From: Simon Josefsson <simon@josefsson.org>
To: ietf@ietf.org, tls@ietf.org
References: <20090824140146.54C2528C1DD@core3.amsl.com>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:090923:tls@ietf.org::rQDrZFJtJ/DguzS/:2+jq
X-Hashcash: 1:22:090923:ietf-announce@ietf.org::4wPy1ur4KzOSjS7Q:LGtn
X-Hashcash: 1:22:090923:ietf@ietf.org::0nKFWo9mcn5DLQ++:0o2iu
Date: Wed, 23 Sep 2009 18:13:32 +0200
In-Reply-To: <20090824140146.54C2528C1DD@core3.amsl.com> (The IESG's message of "Mon, 24 Aug 2009 07:01:46 -0700 (PDT)")
Message-ID: <87ab0lskpf.fsf@mocca.josefsson.org>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Virus-Scanned: clamav-milter 0.95.2 at yxa-v
X-Virus-Status: Clean
Subject: Re: [TLS] Last Call: draft-ietf-tls-rfc4366-bis (Transport Layer Security (TLS) Extensions: Extension Definitions) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2009 16:12:36 -0000

I am aware that the IETF-wide last call has ended, but Daniel Black
provided a suggestion (posted on the gnutls-devel list) for the Security
Considerations that I agree with and believe can be important.  Quoting
him, slightly reworded:

  also maybe 11.1. could say, in response to the last paragraph of
  section 3, + "Server applications SHOULD validate server_name against
  any application layer equivalent field."

The last paragraph of section 3 reads:

   If an application negotiates a server name using an application
   protocol and then upgrades to TLS, and if a server_name extension is
   sent, then the extension SHOULD contain the same name that was
   negotiated in the application protocol. If the server_name is
   established in the TLS session handshake, the client SHOULD NOT
   attempt to request a different server name at the application layer.

It appears security relevant for the server to actual verify that the
client do not use another server name at the application layer to
circumvent authorization decisions.  I cannot find any MUST/SHOULD
requirement in the document for servers to test this right now.

One attack could works like this:

1) Client establish an client-authenticated HTTPS session with a TLS SNI
for blog.example.org and sends a HTTP GET with a Host: header for
internal-website.example.org.

2) The server TLS code authenticate and authorize the client (using the
certificate) for use with the blog.example.org domain.  The server HTTP
code serves the internal-website.example.org web page to the client.

This system would be insecure but still compliant with RFC 4366bis as
far as I can tell, which seems suboptimal.  Adding a requirement for
servers to check for this attack would solve the problem.

/Simon