Re: [TLS] Connection diversion to other subdomains
Matt McCutchen <matt@mattmccutchen.net> Mon, 01 November 2010 03:42 UTC
Return-Path: <matt@mattmccutchen.net>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B737E3A6860 for <tls@core3.amsl.com>; Sun, 31 Oct 2010 20:42:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[none]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VJgaTh4S-UpJ for <tls@core3.amsl.com>; Sun, 31 Oct 2010 20:42:41 -0700 (PDT)
Received: from homiemail-a60.g.dreamhost.com (caiajhbdcbhh.dreamhost.com [208.97.132.177]) by core3.amsl.com (Postfix) with ESMTP id C14913A67A7 for <tls@ietf.org>; Sun, 31 Oct 2010 20:42:38 -0700 (PDT)
Received: from homiemail-a60.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a60.g.dreamhost.com (Postfix) with ESMTP id D01D83BC06A; Sun, 31 Oct 2010 20:42:38 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=mattmccutchen.net; h=subject:from :to:cc:in-reply-to:references:content-type:date:message-id :mime-version:content-transfer-encoding; q=dns; s= mattmccutchen.net; b=JulmIpuwhmKfpjP5ezs+4BzfDZO35NtUFvFPrSKmlPF o/5bcOA6xE/5IwAiwuELq6DqEVugwwsqb4TVyUCEBcS4JaNcql3SzQPUL4Dxqijt N+s7rY1QwMLnEhaagwH6FzWxekNDJ7yjukhfwNRjzO//NS5N9+ALD0Y6Tg9c6fNE =
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=mattmccutchen.net; h= subject:from:to:cc:in-reply-to:references:content-type:date :message-id:mime-version:content-transfer-encoding; s= mattmccutchen.net; bh=lXykAe5wbZ0pLV0Fpo7zSURPtVg=; b=ZnP2MYI/dP sD9pjwWhc6D23mYtYpox/OiO64LO11/MMxVqYhCMdf/ykh8XMDCPtcfN8OA5oLo2 5GtEDxxdc8tgAp8Lhz0dJA6e3UZDg8Jze63BMsgsxzFtcksWLwHsoIQ6nPGYdF1L QemMeiakNU+2+NUybgLmaAlfjU6RkcgW8=
Received: from [129.2.249.209] (ml2.student.umd.edu [129.2.249.209]) (Authenticated sender: matt@mattmccutchen.net) by homiemail-a60.g.dreamhost.com (Postfix) with ESMTPA id 8D6993BC069; Sun, 31 Oct 2010 20:42:38 -0700 (PDT)
From: Matt McCutchen <matt@mattmccutchen.net>
To: aerowolf@gmail.com
In-Reply-To: <gfuk1zfabvh7hh552nJYNxe982v3j_gmsm@mail.gmail.com>
References: <gfuk1zfabvh7hh552nJYNxe982v3j_gmsm@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Date: Sun, 31 Oct 2010 23:42:32 -0400
Message-ID: <1288582952.6095.25.camel@mattlaptop2.local>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.4
Content-Transfer-Encoding: 7bit
Cc: IETF TLS WG <tls@ietf.org>
Subject: Re: [TLS] Connection diversion to other subdomains
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Nov 2010 03:42:42 -0000
On Thu, 2010-10-28 at 21:20 -0700, aerowolf@gmail.com wrote: > On Wed, Oct 27, 2010 at 9:01 PM, Matt McCutchen <matt@mattmccutchen.net> wrote: > > [re SNI and Host header mismatch] > > How can I get the message out to holders of wildcard certificates that > > they should prevent this attack? > > First, what would your proposed remedy be? What do you think the best > behavior would be? Where would you put whatever check you propose in > the processing chain of the server? If a web server gets a request over TLS with a Host header that doesn't match any of the sites it is supposed to serve, it should return an HTTP error instead of serving content from some "default" site. Ideally, the error should not convey false information about the real server (e.g., 404 would be bad). There's no error code that exactly fits the situation; 400, 403, and 503 are decent. Perhaps a new error code could be allocated. If the server gets a TLS connection with a bad server_name extension, it would be even better to go ahead and fail the handshake with an "unrecognized_name" error. Apache mod_ssl currently is not capable of doing this; I might enter an enhancement request. -- Matt
- Re: [TLS] Connection diversion to other subdomains aerowolf
- Re: [TLS] Connection diversion to other subdomains Matt McCutchen
- Re: [TLS] Connection diversion to other subdomains Matt McCutchen
- Re: [TLS] Connection diversion to other subdomains Jeffrey A. Williams
- Re: [TLS] Connection diversion to other subdomains Matt McCutchen