Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate
Martin Rex <mrex@sap.com> Wed, 04 August 2010 23:06 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 55E493A6A92; Wed, 4 Aug 2010 16:06:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.708
X-Spam-Level:
X-Spam-Status: No, score=-9.708 tagged_above=-999 required=5 tests=[AWL=0.541, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 43VVXwSR4-mu; Wed, 4 Aug 2010 16:06:57 -0700 (PDT)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id 9536A3A6A89; Wed, 4 Aug 2010 16:06:56 -0700 (PDT)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id o74N7Ogm023663 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 5 Aug 2010 01:07:24 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201008042307.o74N7NbH022733@fs4113.wdf.sap.corp>
To: yngve@opera.com
Date: Thu, 05 Aug 2010 01:07:22 +0200
In-Reply-To: <op.vgxmfsfrqrq7tp@acorna.invalid.invalid> from "Yngve N. Pettersen" at Aug 4, 10 11:10:30 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: pkix@ietf.org, tmiller@mitre.org, tls@ietf.org
Subject: Re: [TLS] [pkix] New version of Multiple OCSP mode of Certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Aug 2010 23:06:59 -0000
Yngve N. Pettersen wrote: > > On Wed, 04 Aug 2010 22:39:08 +0200, Martin Rex <mrex@sap.com> wrote: > > > Marsh Ray wrote: > >> > >> For example, is this outbound connection willing to authenticate with > >> the credentials of the user? Nearly every form of user credentials have > >> turned out to be forwardable in one way or another. > > > > Possible problems;+ > > > > That crafted AIA-request could potentially "leak" information, > > including sensitive information through a protocol of the attackers > > choice to a target of the attackers choice (cookies, other > > http-header-field contents, http-refererrers, basic authentication > > credentials). > > Opera's AIA/OCSP/CRL requests are sent with cookies, referrers, etc. > disabled; and additionally anything which would cause a user-interaction > will immediately cause the request to fail. I'm slightly more concerned about what MSIE will do, because that is still a pretty common browser supplied to IT departments... The issue is, that it is so easy to get it wrong, that some implementations are going to get it wrong. If commercial CAs issue X.509v3 CA(!) certs without Basic Constraints and KeyUsage, and none of the browser vendors complains about this, but instead ship it as pretrusted, then I have little hope about this one. > > > That crafted AIA-request could be accessing resources that are not > > accessible to the attacker himself with a protocol of the attackers > > choice > > and result in reaction that help the attacker in carrying out a more > > complex attack (like opening ports on a NAT-style firewall). > > Opera have policies in place that prevent many kinds of cross > network-category attacks, including that one. Huh? How? The idea to check digital signatures only with trusted keying material is that an attacker can not entice you to verify digital signatures with megabit-sized keys that aren't trusted anyway. While I could think of effective plausibility checks for key sizes, it is currently unclear to me how you limit to which hosts AIA could connect. An attacker could certainly add an IP-address of your internal network to a DNS zone under his control, and what about HTTP redirects? > > As for AIA itself, I will note that it is documented in RFC 5280, sec. > 4.2.2.1 for precisely the purpose it is being used for by Opera > > In a public key certificate, the id-ad-caIssuers OID is used when the > additional information lists certificates that were issued to the CA > that issued the certificate containing this extension. The > referenced CA issuers description is intended to aid certificate > users in the selection of a certification path that terminates at a > point trusted by the certificate user. Well, at least rfc-5280 includes the conscious user firmly within the loop of "aid certificate users in the seledtion of a certification path". The concern that I've been voicing is AIA-retrieval without involving the conscious decision of a user to access a arbitrary resource from a completely untrusted potential attacker. > > The kind of crafted URLs you are concerned about can also be injected by > way of OCSP and CRL URLs, and OCSP is AFAICT actually supported by more > clients than AIA CA. That is incorrect. The path validation algorithm checks cryptographic correctness and certificate (attribute) validity starting at a trust anchor first, and ONLY when that succeeds, CRLs and OCSP is checked. So when doing path validation correctly, you never access untrusted CRL and OCSP resources. > > Also, injecting those URLs also indicate either the ability to trick the > user into visiting the malicious site, or the attacker already have > complete control over the user's unencrypted connection, in which case > there are far easier ways to inject such URLs for most purposes. A user that only ever used HTTPS to access only sites that he trusts was originally protected from attackers capable of blindly injecting a ServerHello+ServerCertificate data into the receiving side of a new TCP to someone elses Web Server on port 443. (or any other outgoing protocol involving SSL/TLS for generic TLS implementations other than browsers with AIA-retrieval). The use of SSL should make users of that technology _more_ secure, and avoid "adding value" of the kind of an significant additional attack surface to the software and environment of the user. Concerning sensible client behaviour: 3 years ago I received an S/Mime signed EMail confirming the order of a replacement keycard for my (company car) from the maintenance contractor. There were two certs included in the S/Mime signature (signature cert of contractors employee and cert of an intermediateCA), but the Root CA (CN=RootCA <Car-Manufacturer>, O=<car-manufacturer>" was missing and is not publicly available (I still don't have it today). While MS CryptoAPI might be capable and willing to perform extremely dangerous things as secretly accessing arbitrary attacker-supplied AIA-cert-locations, I find myself completely unable (w2k3) to mark that intermediateCA cert as trusted and get the signature verified. (the option to select the signer cert as trusted is greyed out, which might be a group/domain policy issue either based on dumb defaults or deliberate choice of an uninformed admin). So by leaving it up to implementors to come up with sensible implementation choices for security-relevant characteristics, you may easily end up with something that's both insecure and usability-impaired... -Martin
- [TLS] New version of Multiple OCSP mode of Certif… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] New version of Multiple OCSP mode of Ce… Adam Langley
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve Nysaeter Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve N. Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Adam Langley
- Re: [TLS] New version of Multiple OCSP mode of Ce… Brian Smith
- Re: [TLS] New version of Multiple OCSP mode of Ce… Brian Smith
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve N. Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Rob Stradling
- Re: [TLS] New version of Multiple OCSP mode of Ce… Rob Stradling
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve Nysaeter Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Peter Gutmann
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve Nysaeter Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Brian Smith
- Re: [TLS] New version of Multiple OCSP mode of Ce… Peter Gutmann
- Re: [TLS] New version of Multiple OCSP mode of Ce… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Rob Stradling
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve Nysaeter Pettersen
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Yngve Nysaeter Pettersen
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] New version of Multiple OCSP mode of Ce… Adam Langley
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] New version of Multiple OCSP mode of Ce… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] New version of Multiple OCSP mode of Ce… Marsh Ray
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] New version of Multiple OCSP mode of Ce… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Marsh Ray
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Rob Stradling
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Dr Stephen Henson
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Martin Rex
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Nicolas Williams
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Peter Gutmann
- Re: [TLS] [pkix] New version of Multiple OCSP mod… Miller, Timothy J.
- Re: [TLS] [pkix] Accessing arbitrary AIA URLs Matt McCutchen