IETF Logo Mail Archive

Re: [TLS] cross-domain cache sharing and 0rtt

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 04 January 2017 04:29 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B438129532 for <tls@ietfa.amsl.com>; Tue, 3 Jan 2017 20:29:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5
X-Spam-Level:
X-Spam-Status: No, score=-5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-3.1] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y253VWQhEtgd for <tls@ietfa.amsl.com>; Tue, 3 Jan 2017 20:29:15 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) by ietfa.amsl.com (Postfix) with ESMTP id 03D7A129530 for <tls@ietf.org>; Tue, 3 Jan 2017 20:29:14 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id CA8B8146C9; Wed, 4 Jan 2017 06:29:12 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id HRQbHGGMNC_1; Wed, 4 Jan 2017 06:29:12 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 2E54421C; Wed, 4 Jan 2017 06:29:12 +0200 (EET)
Date: Wed, 04 Jan 2017 06:29:01 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Benjamin Kaduk <bkaduk@akamai.com>
Message-ID: <20170104042901.GA21843@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAMfhd9Urd1DWF9yhMdhvx1AcKyB4-E7Qy+tzqz_-1RpXR+Wp1w@mail.gmail.com> <79db4a88-e435-2e5b-47a5-9048acef45e2@cs.tcd.ie> <CABcZeBObcWUjdHhysLG1K0TbJfiqN+XCERn6WaMjWzgU0XC65A@mail.gmail.com> <582703ab-4340-35e7-a3d2-45dd606f10a1@cs.tcd.ie> <CABcZeBMx3zJ07pbj0bPBMrAcrK_Q4HVDcbCx_2B1DnyCOJeE-g@mail.gmail.com> <CAMfhd9Xt400wyOqvREWMXPL2_gsAJsZRqmRAFLq9tKzOKuqnjA@mail.gmail.com> <20161230124420.GA11229@LK-Perkele-V2.elisa-laajakaista.fi> <5e06f30a-2f29-0c1f-432b-ed02c7f6c5ae@akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <5e06f30a-2f29-0c1f-432b-ed02c7f6c5ae@akamai.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wFhkaE7sktcfWjrS2H4lagxDDv8>
Cc: Adam Langley <agl@imperialviolet.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] cross-domain cache sharing and 0rtt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2017 04:29:17 -0000

On Tue, Jan 03, 2017 at 06:14:23PM -0600, Benjamin Kaduk wrote:
> On 12/30/2016 06:44 AM, Ilari Liusvaara wrote:
> > On Thu, Dec 29, 2016 at 02:45:53PM -0800, Adam Langley wrote:
> >>
> >> An attacker could redirect a 0-RTT handshake that was destined to S1
> >> and feed it to S2. If S2 ignores the SNI value (common) it could
> >> accept and process the 0-RTT data even though it was destined for S1.
> > Sounds like standard-issue default-vhost attack (which are sadly
> > common security issues in https://).
> >  
> 
> Somehow, I feel like adding text in the 1.3 spec that servers should not
> do this is not really going to help anyone.

I think it is much more HTTP-layer issue than TLS issue. After all, the
authoritative vhost info is available on HTTP layer. The TLS layer info
is not authoritative, especially in HTTP/2.

The last point is especially as coalescing information in HTTP/2 can
not be considered authenticatied (so attacker can trigger coalescing).

> >> However, in that case TLS 1.2 is probably also affected because S2
> >> would likely process a 1.2 handshake that was destined to S1 as well.
> >> (Even without a shared ticket key or session cache.) See
> >> http://antoine.delignat-lavaud.fr/doc/www15.pdf for more.
> > You mean redirecting full handshake meant for s1.example.com to
> > s2.example.com? Or redirecting a TLS 1.2 resumption handshake?
> 
> Naively, if s1 and s2 share cert and private key, and ignore the SNI, it
> seems like redirecting a full handshake would work.  But I didn't think
> about it very hard.

Actually, I think it would work if you merely have cross-valid 
selected certs. No need to share private key or even ignore SNI.

I'm aware of at least one TLS library that under no circumstances
ignores SNI for certificate selection (SNI with no known certificate
is always fatal error, and the returned certificate is always valid for
the name in SNI), but still can have redirect full handshakes if both
sides merely have a certificate that is valid for the other (no need
to share a key).



-Ilari

v2.23.0 | Report a Bug | By Email