Re: [Unbearable] HTTPS Token Binding with TLS Terminating Reverse Proxies

Piotr Sikora <piotrsikora@google.com> Mon, 17 July 2017 13:35 UTC

Return-Path: <piotrsikora@google.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC3DF131BA9 for <unbearable@ietfa.amsl.com>; Mon, 17 Jul 2017 06:35:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lgzMeOpB2UL5 for <unbearable@ietfa.amsl.com>; Mon, 17 Jul 2017 06:35:13 -0700 (PDT)
Received: from mail-ua0-x236.google.com (mail-ua0-x236.google.com [IPv6:2607:f8b0:400c:c08::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE2C9131B9A for <unbearable@ietf.org>; Mon, 17 Jul 2017 06:35:13 -0700 (PDT)
Received: by mail-ua0-x236.google.com with SMTP id b64so24238782uab.0 for <unbearable@ietf.org>; Mon, 17 Jul 2017 06:35:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=MESW+WttgoZI9/Ls5tvKjBM/Ai9Bj6x6YHUyzi4rTsA=; b=ZQffXkWvfo5atDu7qdoFFMsf1iQRSZcHM7qZv7rxlLhc1K/2mk71tYeTRqrEJ7+0TW OcZfldx4b+Uc/fTiFP+K0nn9A0/MULCBqlMWJWJbSufsPv+AO8axLMi76EBAVPav77eK YnF0oXHY0xy5MtAevlLmCtomlBoLGnyC6r78xNP+8TnCfveJiIgw2DkcvOLKF3B1cfV1 WKdnWytD1Xxzmll1p2E6aW+C/duCb5K5m6aq6QOca9fzyVwazcEqyWMOAL8bUu6wsoJ4 KFeuTwpCOAxochcM1gD6nDV3t6vBGWolumHoDVAUuCr+WnQjr3UN5YSDQyp0c5E9TZ6T qQYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=MESW+WttgoZI9/Ls5tvKjBM/Ai9Bj6x6YHUyzi4rTsA=; b=n8fPalglNnCC9cx5GaULFLV1Y939rMU95AAmQNIf1g3Cv54JhWRZ/ucVfFKrcsHlti d437DkMBy9NKS7r5qmZ5YSLeCG+oK8pqgLdzISqmmYKRLZrPWZJw7jVj7yC2BcwqRoWl wCFEYRcfwcvUCcdILmY4nUURwcyg0TwhF0psm2YPk5RM6GFjF1Sbyf6xEN8QK3tozO55 gLaoh+r7V3D3SYxzlQ0U9BYS4eyHEPwdGhT/L1OaQOB8GAbigrYXZKYB2fSW/ZkG0zv8 zlTaImbn/W02TgGq8Aud0nI/PdH4369+0aofZbiy1P0fiQRsZ3XAKKbOh5sw6y6CC/Fl a+kA==
X-Gm-Message-State: AIVw111HQ6IFkL6qx0daMclUUuy3FbyD8w/HI8VZxXXYfLVwSAieZquR 5IcAU9KwtwnsuHwE1cToaJqsVRNXnyMr
X-Received: by 10.159.49.19 with SMTP id m19mr12620478uab.46.1500298512436; Mon, 17 Jul 2017 06:35:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.176.67 with HTTP; Mon, 17 Jul 2017 06:35:11 -0700 (PDT)
In-Reply-To: <CA+k3eCSxEZyL60p=fLjrEniLU8kxy3CXs0sZftg-s-COtESwTA@mail.gmail.com>
References: <CA+k3eCTV7Lpn5j-7agVQ_q9iHhx397WdNf6Ys8fwZD+RJgGMzg@mail.gmail.com> <CAF-CG+LLji-peqisnw4MfFPe6dWqYOGEYnOK_7jhPyonVUct6g@mail.gmail.com> <CA+k3eCTPv-90jkig2zfT-bXAxh-p4-tbZOn6Dfzn80G7m5UCYw@mail.gmail.com> <CAF-CG+JOZCsgxdKH+c6GCMuuh_kDL30chvLHxZQ1+UJPJ1Zxew@mail.gmail.com> <CA+k3eCSxEZyL60p=fLjrEniLU8kxy3CXs0sZftg-s-COtESwTA@mail.gmail.com>
From: Piotr Sikora <piotrsikora@google.com>
Date: Mon, 17 Jul 2017 15:35:11 +0200
Message-ID: <CAF-CG+KUb9rz5je0JEdr-6fwjegpbj_t8fh8KcREpUsXVcAhmQ@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/O0IpppyyEqMrQjEkyEi8p8CeBGA>
Subject: Re: [Unbearable] HTTPS Token Binding with TLS Terminating Reverse Proxies
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 13:35:16 -0000

Well, it's kind of given that requests are sent only to backends that
are configured for a particular domain. That applies to whole
requests, and not only to Provided-Token-Binding-ID header, so I think
this is unnecessary restriction that will only confuse readers.

Best regards,
Piotr Sikora

On Mon, Jul 17, 2017 at 2:29 PM, Brian Campbell
<bcampbell@pingidentity.com>; wrote:
> For any given domain, a CDN would know the origin server(s) where it should
> forward requests it cannot fulfill, right?
>
> That's what I was trying to get at in the statement in the draft - that the
> reverse proxy only dispatch requests to origin sever(s) known/configured to
> be associated with the domain of the original request. Perhaps "trust" isn't
> the right word and that sentence can be reworded to be more reflective of
> that? Or is such a restriction/requirement so implicit in the deployment of
> any reverse proxy so doesn't need any treatment in this document?
>
> On Mon, Jul 17, 2017 at 1:18 PM, Piotr Sikora <piotrsikora@google.com>;
> wrote:
>>
>> Hey Brian,
>> from the CDN point of view, all backend servers are untrusted, but I
>> don't see any reason why CDNs shouldn't forward
>> Provided-Token-Binding-ID to the origin servers.
>>
>> Also, Token Binding is supposed to protect Cookies (among other
>> things), which don't have such restriction, so this seems unnecessary.
>>
>> Best regards,
>> Piotr Sikora
>>
>> On Mon, Jul 17, 2017 at 12:53 PM, Brian Campbell
>> <bcampbell@pingidentity.com>; wrote:
>> > To be honest, I didn't have a specific attack vector or security/privacy
>> > implication in mind around that. It just seemed like something that
>> > should
>> > generally be part of reverse proxy set up. Do you think it's too
>> > restrictive/perspective? Or do you know of some use-case where a reverse
>> > proxy wouldn't know/trust the servers that it sits in front of?
>> >
>> > On Mon, Jul 17, 2017 at 12:37 PM, Piotr Sikora <piotrsikora@google.com>;
>> > wrote:
>> >>
>> >> Hey Brian,
>> >> looks good, thanks for working on that!
>> >>
>> >> One question:
>> >>
>> >> >   Reverse proxies SHOULD only add the headers to requests that are
>> >> >   forwarded to trusted backend servers.
>> >>
>> >> Why? What's the attack vector, security and/or privacy implications
>> >> here?
>> >>
>> >> Best regards,
>> >> Piotr Sikora
>> >>
>> >> On Fri, Jul 14, 2017 at 6:59 PM, Brian Campbell
>> >> <bcampbell@pingidentity.com>; wrote:
>> >> > Just a not-so-subtle reminder that HTTPS Token Binding with TLS
>> >> > Terminating
>> >> > Reverse Proxies is one of the agenda items for Monday's meeting in
>> >> > Prague
>> >> > and it would be great if there was some familiarity with it going
>> >> > into
>> >> > the
>> >> > meeting. It's relativity short as drafts go, if you're looking for
>> >> > something
>> >> > to read en route to the meeting:
>> >> > https://tools.ietf.org/html/draft-campbell-tokbind-ttrp-00
>> >> >
>> >> > CONFIDENTIALITY NOTICE: This email may contain confidential and
>> >> > privileged
>> >> > material for the sole use of the intended recipient(s). Any review,
>> >> > use,
>> >> > distribution or disclosure by others is strictly prohibited.  If you
>> >> > have
>> >> > received this communication in error, please notify the sender
>> >> > immediately
>> >> > by e-mail and delete the message and any file attachments from your
>> >> > computer. Thank you.
>> >> > _______________________________________________
>> >> > Unbearable mailing list
>> >> > Unbearable@ietf.org
>> >> > https://www.ietf.org/mailman/listinfo/unbearable
>> >> >
>> >
>> >
>> >
>> > CONFIDENTIALITY NOTICE: This email may contain confidential and
>> > privileged
>> > material for the sole use of the intended recipient(s). Any review, use,
>> > distribution or disclosure by others is strictly prohibited.  If you
>> > have
>> > received this communication in error, please notify the sender
>> > immediately
>> > by e-mail and delete the message and any file attachments from your
>> > computer. Thank you.
>
>
>
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
> material for the sole use of the intended recipient(s). Any review, use,
> distribution or disclosure by others is strictly prohibited.  If you have
> received this communication in error, please notify the sender immediately
> by e-mail and delete the message and any file attachments from your
> computer. Thank you.