IETF Logo Mail Archive

Re: [Unbearable] sec-token-binding header in the wild

Nick Harper <nharper@google.com> Wed, 15 February 2017 23:58 UTC

Return-Path: <nharper@google.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCC1C129BCF for <unbearable@ietfa.amsl.com>; Wed, 15 Feb 2017 15:58:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2qfh2Tpkb7rJ for <unbearable@ietfa.amsl.com>; Wed, 15 Feb 2017 15:58:48 -0800 (PST)
Received: from mail-yw0-x22a.google.com (mail-yw0-x22a.google.com [IPv6:2607:f8b0:4002:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83E1812995F for <unbearable@ietf.org>; Wed, 15 Feb 2017 15:58:48 -0800 (PST)
Received: by mail-yw0-x22a.google.com with SMTP id v200so940825ywc.3 for <unbearable@ietf.org>; Wed, 15 Feb 2017 15:58:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=h7myN5Wv1p3XatpSJaWw2gm75xcspY4ljAmCmijZWVI=; b=j+pcUR2zelIB2xWihhG0B8+YwpX23KOR+4t3lM03WMJxLcNQR4ijhQ1UqF+KuzpfXc FqXfcxuefJb5X2QTWolfZXClRM1U0ZZz8EdANdjxnFs2+4sPxsyA2MDi7kUKvLXtQVTB F8Qjyec2Lk6DjWJFiYPA08hnQ23Jn79D+qEi7LktMC3+MHeDOk91W8FCfJn9fcNWI0Lc c5lGROfh1+IuQvBiSjiefrF2SoULIVpZlVkFnNN3tjWNxLqYLdVpewCmk45b1Hp4eWRf Jp6nY/TCFJw0lMqOdQp449Svwv98nfhtozStws/B/gGUeSg4F6VEYg2tULcOc+UQIUFf XwdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=h7myN5Wv1p3XatpSJaWw2gm75xcspY4ljAmCmijZWVI=; b=tqbyEMwCvgFHqUgvpj1fArxc6bO6S5DfCbIJUoZnD0PA1UlxAgQZJ1BDDDW4/sgntb KrmFDT8r4iHh2rV0sBooGuKr1HgNFLgci7tmeipeNIXpKtuJbzQvzNgAO1RrUO2RFJk5 I9CQAQnfiP6y/n6M+q4EftdjBEHYZ6lJXgOwUBKbjlHlTFUL66dkr8/hoIlEVhkhZ+tj k4Rc9Dfy/NrGlzirAjQiUtTa7lcoFedNnxEIQK2Bw/Gwj6iBdsCAJR2H0z5QX2hYDouf puFW0WEb79w1VzGKiM/JkBs/Fxi8rq/u761doSWUW0mJrHLw2ju51UzEG+Emfl5DPIa6 fvfg==
X-Gm-Message-State: AMke39mVlUIG02J9tV9LwN1cBZvrfC2Um6Y57kxc8GPBbUd+55JzAHVp9LLtQZPTzGzzixPfE4M2eIFEomGtDRSc
X-Received: by 10.129.7.215 with SMTP id 206mr26858072ywh.228.1487203127632; Wed, 15 Feb 2017 15:58:47 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.161.87 with HTTP; Wed, 15 Feb 2017 15:58:27 -0800 (PST)
In-Reply-To: <D833FDDA-37B6-42EC-847D-471D97AB96E8@ve7jtb.com>
References: <0d90fcf0-0ec7-448c-d0ad-0385062400b9@KingsMountain.com> <06A6B2F5-9026-4B30-A099-EB3B8F8AEFB4@ve7jtb.com> <CACdeXi+3dnOcnWffc3wP2WMs3VhWGcmvG2StXKM1JZ8bMVebgQ@mail.gmail.com> <0A2CF74F-D5FE-48EF-B9AC-0F06BA1DE1D7@ve7jtb.com> <CACdeXiJobbVzGr13-FO4YmO8r3Jmsc_y4Lp1ME_sA1MwZtThPg@mail.gmail.com> <D833FDDA-37B6-42EC-847D-471D97AB96E8@ve7jtb.com>
From: Nick Harper <nharper@google.com>
Date: Wed, 15 Feb 2017 15:58:27 -0800
Message-ID: <CACdeXiK3typxf+KzH5ksJSpZG6iDSP1_14d9D2NzMCZs3bEK9w@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="001a11428b3a22263205489a76f6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/0Yf9qo0MrwJlS3_6m2ZqNLCcwek>
Cc: IETF TokBind WG <unbearable@ietf.org>, =JeffH Hodges <Jeff.Hodges@kingsmountain.com>
Subject: Re: [Unbearable] sec-token-binding header in the wild
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Feb 2017 23:58:51 -0000

I've occasionally seen the "Provisional headers are shown" message - I
think that comes up if the request is served from cache, in which case it
makes sense that there's no sec-token-binding header since there was no
request that went to a server.

On Wed, Feb 15, 2017 at 3:55 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> Yes I see it.   The extension must have been filtering out those headers.
>
> I can’t explain what Jeff is seeing.
>
> John B.
>
> On Feb 15, 2017, at 8:49 PM, Nick Harper <nharper@google.com> wrote:
>
> I'm using the network tab of chrome's built-in dev tools to view the
> headers (Ctrl+Shift+I, or kebab menu > more tools > developer tools). As
> long as the flag is flipped in chrome://flags, it should be negotiating
> token binding, but I don't know how that extension might be interfering.
>
> On Wed, Feb 15, 2017 at 3:46 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
>> I tried 56.0.2924.87 and 58.0.3013.0 OSX  and 58,0,3007 (ChromeOS) with
>> no luck.
>>
>> It might be the extension to capture headers that is messing me up.
>>
>> What are you using.  I used the HTTP trace extension.
>>
>> John B.
>>
>> On Feb 15, 2017, at 8:36 PM, Nick Harper <nharper@google.com> wrote:
>>
>> I see the sec-token-binding header for both www.google.com and
>> www.chromium.org from chrome on os x (version 56.0.2924.87).
>>
>> On Wed, Feb 15, 2017 at 3:29 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>
>>> Strange I see them on both sites with Edge.
>>>
>>> With chrome on osx and windows I am not seeing them after turning on the
>>> flag and restarting.
>>>
>>> I don’t know if the header capture is messing with it somehow.
>>>
>>> Google.cl negotiated TB with Edge.
>>>
>>> John B.
>>>
>>> > On Feb 15, 2017, at 6:12 PM, =JeffH <Jeff.Hodges@KingsMountain.com>
>>> wrote:
>>> >
>>> > fyi/fwiw...
>>> >
>>> > target: https://www.chromium.org/
>>> >
>>> > sec-token-binding:AIkAAgBBQMaFRvLPy1uUBZer64ZluK8oBJ8kpcnO84
>>> kmCX29demwilh57_4gqlqRLBcZ_dh8x9KdN6TQQZWciZlGmhZp3sUAQFWhQB
>>> mwYSLGqlQ59KCOsYpn7Ex1dB_L5bAUTdEjd98Y5CY7NY6aczxi2gC7I6xEMA
>>> C4tONGdNOjoALTLt72REUAAA
>>> >
>>> > I used the built-in chrome developer tools to examine the request
>>> headers and obtain the above STB
>>> >
>>> >
>>> > [ innarestingly enuff, if one targets https://www.google.com/, it
>>> seems developer tools only displays the below...
>>> >
>>> > Provisional headers are shown
>>> > Referer:https://www.google.com/
>>> > User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6)
>>> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
>>> > ]
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Unbearable mailing list
>>> > Unbearable@ietf.org
>>> > https://www.ietf.org/mailman/listinfo/unbearable
>>>
>>>
>>> _______________________________________________
>>> Unbearable mailing list
>>> Unbearable@ietf.org
>>> https://www.ietf.org/mailman/listinfo/unbearable
>>>
>>>
>>
>>
>
>

v2.31.3 | Report a Bug | By Email | System Status