Re: [TLS] The case for a single stream of data
Ilari Liusvaara <ilariliusvaara@welho.com> Sat, 13 May 2017 20:27 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C510129329 for <tls@ietfa.amsl.com>; Sat, 13 May 2017 13:27:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Level:
X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4FpgAzKAWQFb for <tls@ietfa.amsl.com>; Sat, 13 May 2017 13:27:44 -0700 (PDT)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) by ietfa.amsl.com (Postfix) with ESMTP id A83F7129423 for <tls@ietf.org>; Sat, 13 May 2017 13:24:56 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 1BD66226A9; Sat, 13 May 2017 23:24:53 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id bdaciRD6GTeg; Sat, 13 May 2017 23:24:52 +0300 (EEST)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id AC87B2313; Sat, 13 May 2017 23:24:52 +0300 (EEST)
Date: Sat, 13 May 2017 23:24:51 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Colm MacCárthaigh <colm@allcosts.net>
Cc: "Salz, Rich" <rsalz@akamai.com>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20170513202451.GA14826@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAAF6GDfm=voTt_=JrdGtiaYby1JG8ySU2s6myjjpHKeGvi0bMg@mail.gmail.com> <9f5858c8d86742b9aa82bdac46590c92@usma1ex-dag1mb1.msg.corp.akamai.com> <CAAF6GDcGQ0YTYFFD+HVD71O9GCW7V3r_UNce1LQsHF1Zs9aBLQ@mail.gmail.com> <6ce1dc8757fa4f6693263c8e4f06f277@usma1ex-dag1mb1.msg.corp.akamai.com> <CAAF6GDd5jnuSHw3JLTuCCKWjwKHcW=nfNac=w5UprM-gPJocQw@mail.gmail.com> <20170509181227.GA9346@LK-Perkele-V2.elisa-laajakaista.fi> <CAAF6GDcUu24NZbzxA0x6+OFkU2HRy8rtrQgQ_9U_j8CGjVOjLw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAAF6GDcUu24NZbzxA0x6+OFkU2HRy8rtrQgQ_9U_j8CGjVOjLw@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/gRiO0CuqaMYOM9tv4itrxABD0UY>
Subject: Re: [TLS] The case for a single stream of data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 May 2017 20:27:47 -0000
On Tue, May 09, 2017 at 11:44:14AM -0700, Colm MacCárthaigh wrote: > On Tue, May 9, 2017 at 11:12 AM, Ilari Liusvaara <ilariliusvaara@welho.com> > wrote: > > Because HTTP specification expressly forbids any and all updates and > > writes using safe methods. Ignoring that causes very severe security > > vulernabilities even today (e.g., causes essentially undefendable CSRF > > attacks). > > > > These aren't browser requests, they can be SDK and other clients making > HTTP API requests. That's much more common too, by volume. CSRF isn't an > issue in cases like that. Hope your API is actually idempotent, because the HTTP code, which sits below the SDK code can replay requests on its own... > I think everything I'm writing applies even for a careful REST-compliant > case too. Even if the client is using PUT or POST or DELETE or whatever, > the same kind of transactional semantics apply. All it takes is a > disconnect between the settings in any of the middle transport layers and > the expectations of the underlying protocol. I just think that disconnect > is very predictable. PUT and DELETE are also subject to autoretry. Which means that any PUT or DELETE in failed 0-RTT can be immediately replayed as 1-RTT by the HTTP code. However, POST is not subject to autoretry. Which means that any POST in failed 0-RTT must be reported to next layer as "error: connection to server lost before reply was received". Which is the same error if server somehow sent a TLS close_notify with pending POST (which is considered autenticated close!). (In HTTP/2, if the server explicitly refuses the stream POST is on, that does not count as fatal failure, and the http library can autoretry). The next layer can then decide to retry the request upon getting the connection lost error. However, in such situation, one _always_ needs to handle possible reordering, _regardless_ of 0-RTT or TLS version! Unified-stream model has the following to keep in mind: - The client TLS library APIs must not be subject to races that may cause data corruption if server rejects 0-RTT (_including_ selecting different application-layer protocol). - The 0-RTT data may not be suitable for replay, even if application- layer protocol matches. And 0-RTT containing HTTP POSTs is the not the only case even in HTTP (e.g. what Tokbind has specified so far renders such replay unsafe even for GET). Two recommendations: - Always require strong 0-RTT anti-replay, even accross servers. The attacks raising from failing to do this are just too severe and virtually impossible to address in any other way. - Clients shall treat any 0-RTT data sent as potentially received by the server, _even_ if server refuses the 0-RTT. -Ilari
- [TLS] The case for a single stream of data Colm MacCárthaigh
- Re: [TLS] The case for a single stream of data Ilari Liusvaara
- Re: [TLS] The case for a single stream of data Salz, Rich
- Re: [TLS] The case for a single stream of data Kyle Rose
- Re: [TLS] The case for a single stream of data Ilari Liusvaara
- Re: [TLS] The case for a single stream of data Kyle Rose
- Re: [TLS] The case for a single stream of data Eric Rescorla
- Re: [TLS] The case for a single stream of data Benjamin Kaduk
- Re: [TLS] The case for a single stream of data Ilari Liusvaara
- Re: [TLS] The case for a single stream of data Benjamin Kaduk
- Re: [TLS] The case for a single stream of data Salz, Rich
- Re: [TLS] The case for a single stream of data Viktor Dukhovni
- Re: [TLS] The case for a single stream of data Colm MacCárthaigh
- Re: [TLS] The case for a single stream of data Salz, Rich
- Re: [TLS] The case for a single stream of data Salz, Rich
- Re: [TLS] The case for a single stream of data Andrei Popov
- Re: [TLS] The case for a single stream of data Roland Zink
- Re: [TLS] The case for a single stream of data Colm MacCárthaigh
- Re: [TLS] The case for a single stream of data Ilari Liusvaara
- Re: [TLS] The case for a single stream of data Colm MacCárthaigh
- Re: [TLS] The case for a single stream of data Benjamin Kaduk
- Re: [TLS] The case for a single stream of data Colm MacCárthaigh
- Re: [TLS] The case for a single stream of data Ilari Liusvaara
- Re: [TLS] The case for a single stream of data Ilari Liusvaara