Re: [TLS] Preventing cross-protocol attacks without NPN (was: Request
Adam Barth <ietf@adambarth.com> Thu, 19 August 2010 17:16 UTC
Return-Path: <ietf@adambarth.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8F5783A67F1 for <tls@core3.amsl.com>; Thu, 19 Aug 2010 10:16:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.803
X-Spam-Level:
X-Spam-Status: No, score=-1.803 tagged_above=-999 required=5 tests=[AWL=0.174, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jSA0Rfs+edgS for <tls@core3.amsl.com>; Thu, 19 Aug 2010 10:16:00 -0700 (PDT)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id 26DCD3A68EA for <tls@ietf.org>; Thu, 19 Aug 2010 10:15:59 -0700 (PDT)
Received: by fxm18 with SMTP id 18so1387464fxm.31 for <tls@ietf.org>; Thu, 19 Aug 2010 10:16:34 -0700 (PDT)
Received: by 10.223.124.205 with SMTP id v13mr63482far.94.1282238194252; Thu, 19 Aug 2010 10:16:34 -0700 (PDT)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by mx.google.com with ESMTPS id a6sm806425faa.20.2010.08.19.10.16.32 (version=SSLv3 cipher=RC4-MD5); Thu, 19 Aug 2010 10:16:33 -0700 (PDT)
Received: by pzk6 with SMTP id 6so972601pzk.31 for <tls@ietf.org>; Thu, 19 Aug 2010 10:16:31 -0700 (PDT)
Received: by 10.142.132.15 with SMTP id f15mr150587wfd.14.1282238191183; Thu, 19 Aug 2010 10:16:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.231.60.18 with HTTP; Thu, 19 Aug 2010 10:16:10 -0700 (PDT)
In-Reply-To: <201008191348.o7JDm2li005391@fs4113.wdf.sap.corp>
References: <AANLkTi=pXFM7HnXJCuJUoKVZKnX1HijQMRr3nHFefHZD@mail.gmail.com> <201008191348.o7JDm2li005391@fs4113.wdf.sap.corp>
From: Adam Barth <ietf@adambarth.com>
Date: Thu, 19 Aug 2010 10:16:10 -0700
Message-ID: <AANLkTi=xuncF8fo3iy56onCWj9Yx1Zg5a+fVN8U=h=Dt@mail.gmail.com>
To: mrex@sap.com
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] Preventing cross-protocol attacks without NPN (was: Request
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Aug 2010 17:16:01 -0000
Martin, I think you're right that we could fix these problems by changing the browser security model to something more like the Java security model. However, the browser security model isn't going anywhere any time soon. Kind regards, Adam On Thu, Aug 19, 2010 at 6:48 AM, Martin Rex <mrex@sap.com> wrote: > Nathaniel W Filardo <nwf@cs.jhu.edu> wrote: >> >> The particular class of attacks you're worried about all involve an agent, >> C, making requests to a server S, on behalf of some untrusted third party, >> M. Further, S thinks that it is speaking P and C thinks that it is speaking >> Q, with P != Q. It happens to be that S's interpretation of P is compatible >> with C's production of Q. Is that not an accurate understanding? > > "involve an agent C". It's about a promiscuous zombie call "web browser" > (not necessarily Mr. Smith in a black suit). ;-) > > The last "cross-protocol attack" I complained about was TLS endpoints > chasing AIA URLs from untrusted end-entity certs when faced with > incomplete certificate chains. There the scenario involved a client > (browser), a server (online bank) who trust each other and a secure > protocol (TLS), which was susceptible to outside(!) attackers injecting > a crafted ServerHello+ServerCertificate handshake message into a newly > established TCP connection. > > The "cross-protocol attack" mentioned with WebSocket, on the other hand, > is about a completely different threat scenario. There, the worry > is about rightful peers, i.e. Servers attacking clients by serving > them URLs and active content to coerce them in connecting to services > that they shouldn't be connecting to. > > > Personally, I don't think NPN is going to improve anything. It is > just going to make things slightly more obscure, but by misleading > the consumers of the technology about where there is the flaw in > their architecure, they're going to significantly increase the > damage in the long run. > > Blacklisting known bad stuff is a race that you can not win. > > Probably no one would suggest to "enhance" MUA to roam the internet > and collect more spam to present to the user. Browsers do just that, > they will happily download and annoy end users with significantly > larger amounts of spamvertisement than most users would agree to > when asked. > > For Java applets there was originally a security model that the > applet could only callback to the site where it came from. > Security-wise this was a sensible approach. If something similar > had been done for HTML pages, XSS would be a non-problem and > neither would there be any cross-protocol issues. > > Since the services that are listening for plaintext protocols today > are not going to go away anytime soon, why do you think the situation > would improve with NPN? Is there a "once WebSockets -- forever WebSockets" > requirement, that mixing content from "old" (port 80) and > "new" Web (=through WebSockets) is going to be entirely prohibited? > > > Cross-Protocol attacks are very very old stuff. > Back in the old days of the IP-Protocols, there were services > such as "chargen 19/udp" and "echo 7/udp" and IIRC, you only needed > to send a UDP datagram with a crafted source ip/port to chargen > to make two machines saturate a network link. > > > The WebSockets + NPN architecture sounds like a inetd with builtin > TLS and out-of-band protocol signaling instead of relying on the > implicit assumptions of well known ports. > > > But this approach, especially when _NOT_ sending the next protocol > in the ClientHello (in clear text), is in direct conflict with the > idea to perform server endpoint identification for TLS in a fashion > that clearly distinguishes services by their certificate (attributes), > like ExtendedKeyUsage (EKUs) and Service SubjectAltNames. > > Personally, I really dislike the idea of requiring all application > services on a Host to be single-admin'ed and all authentication > and authorization at the TLS layer to be unconditionally host-wide. > That comes close to killing TLS client certificates as a means to > authenticate users if you have differing requirements for applications. > > > The protection that you're looking for should be provided by IPsec, > not a multiplexing TLS+NPN-enriched WebSockets inetd. > > Seperating services on a host into individual processes with > only those privileges and the level of user authentication and > user authorization that these services actually need is sensible > risk management. Terminating and dispatching EVERY network > connection to a machine in a single application puts us back > into the MS-DOS area (lack of process seperation). > > > And what exactly do you mean by "Next Protocol". A lot of stuff > uses HTTP these days, and if you really only distinguish the > next protocol level, then there still is a lot of cross-protocol > attack surface left. Doesn't SOAP use HTTP as well? > I know that my DSL-router is VERY open-minded to SOAP-requests > for administrative purposes (and no, it doesn't require authentication > for many actions -- different to the administrative WebUI). > > > -Martin >