Re: [Unbearable] More thoughts on reverse-proxies

Brian Campbell <> Thu, 03 August 2017 19:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E22F91317C1 for <>; Thu, 3 Aug 2017 12:44:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Vx-RXkoCQQVl for <>; Thu, 3 Aug 2017 12:44:16 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DFFC7129B26 for <>; Thu, 3 Aug 2017 12:44:15 -0700 (PDT)
Received: by with SMTP id v189so10073436pgd.2 for <>; Thu, 03 Aug 2017 12:44:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=FQwitYw84J4oFAn/pH0q3fbHTPXz1qJPX9aVb2b+oIk=; b=MB0Wvuw6lvnhvbT4kGYKfE57gEmhCPZCrAooDHq5Wx/MsgQfK+qbsbCSEma6WXOFwN za7QYhExL+erl448sgZGlMM96ug92DI/abLakeH882pGLS6RathXPI65xV/jgJM3QiNp AqYmdmlL/XbH9Hv1CQ8GxeeDzIjvxRHPAvBjM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=FQwitYw84J4oFAn/pH0q3fbHTPXz1qJPX9aVb2b+oIk=; b=uiikjk/1AGiLKmdCpilIPEe+4bhmRtavL2YHOR/mAdhFn33cuKmTUJ5YMXOV9eEUhb a9mMjgzoWHZzfMtP8jCT+HVdxXhQYVb0hde1nycvyQfKHrn7E7RWJCs2dw8AxjhcSvlh jo9Y6cMKf6wSfjIattagup0UZxIr1R3XUDmehdyH+YBlJJdDxn0Lj4EvtEacyJMT8SoW P8qVBijwb62g+JM57xKXnrKbB4GSPqo94PMxiFbma2/GhS5aipgz+LtOpx6MOueLgkgb +/IurD0H8TOKH6KAaGSJdruazhr5vifELCoq7kFEbuUfj3vK38M74e0n6hbTptr0nKv2 MFHw==
X-Gm-Message-State: AIVw110RDnVu48hdRpqtOXTaI2avyjZegm8kvP/Dczn/unMD7LvsvBsz NNlbGmPvgBtO3TH7i9T2yICnmwDEVTRZfbxCcZ49E4I4LNhR+ze7OPJ0EmtKRFRNaQkLb7fyoWf HFcjqGAmQ4sg=
X-Received: by with SMTP id q4mr3045019plk.423.1501789455389; Thu, 03 Aug 2017 12:44:15 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Thu, 3 Aug 2017 12:43:44 -0700 (PDT)
In-Reply-To: <>
References: <> <>
From: Brian Campbell <>
Date: Thu, 3 Aug 2017 13:43:44 -0600
Message-ID: <>
To: Bill Cox <>
Cc: Tokbind WG <>
Content-Type: multipart/alternative; boundary="f403045fe2d40430b90555de9bee"
Archived-At: <>
Subject: Re: [Unbearable] More thoughts on reverse-proxies
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Aug 2017 19:44:18 -0000

Yeah, there are advantages and disadvantages to both approaches. The
approach of providing the EKM to the back-end was what I wrote up in my
first cut individual draft. But as John mentioned, the winds of WG
consensus moved to the other approach being written up and adopted as a WG

>From a standardization standpoint, I believe that documenting only a single
approach is important to avoid confusion and facilitate interop and
adoption. But nothing is requiring anyone to follow the (hopefully someday)
RFC approach - it is intended for off-the-shelf products (including open
source) and services that need to be mixed and matched in deployments and
work together. A large scale deployment that owns all the infrastructure
is, of course, free to do it however is deemed most appropriate. Similarly,
the approach the NGINX module uses has value and will be appropriate for
some deployments. But I don't see value in standardization of it.

On Thu, Aug 3, 2017 at 10:09 AM, Bill Cox <> wrote:

> Grr... my finger muscle memory expects TAB to indent, not set the focus on
> SEND.  This is my #1 gmail complaint.  I can't see what I'm typing very
> well, and Chrome does not work with my Linux screen reader (yet - I'm
> working on that), so I can't hear it either.  I make this mistake often.
> Sorry!
> Anyway, the advantages of TB verification in the back-end are:
> - The application can continue processing the request in parallel with TB
> verification.  If it is done in the front-end, this adds ~120us in series
> to every request.
> - Requests that don't need TB signature verification don't see the
> signature verification overhead.  This can be a high fraction of requests.
> - 0-RTT replay protection is very expensive in the proxy, but cheap in the
> cookie back-end.  A large organization may have several different types of
> reverse proxies, and replay protection has to be developed and maintained
> for each.  However, they only need one back-end cache for TB replay
> protection.  0-RTT replay protection forces proxies to communicate over an
> entire metro area, slowing everything down by maybe 1ms for every
> resumption.  This does not happen with replay protection in the TB
> verification back-end.
> A downside is likely worse protection against cookie theft and reuse.
> Applications typically only verify auth cookies for new sessions, IIUC, so
> the TB credentials would not be checked.
> On Thu, Aug 3, 2017 at 8:47 AM, Bill Cox <> wrote:
>> I like the TTRP spec, but there are at least two other modes of operation
>> a reverse proxy might want to use.
>> The simplest way for an organization that uses NGINX to enable token
>> binding is to use Piotr's token-binding module
>> <>.  Piotr did great work on
>> that, but there is room for improvement, such as using a more modern and
>> shorter MAC appended to the cookie.  Would it make sense to have an RFC for
>> this mode of operation?  That way, javascript that manipulates the cookie
>> cleartext would be simpler to write: it would only have to look for one
>> token-bound cookie format.
>> The other mode of operation is one I favor for large scale deployments:
>> The proxy could compute the EKG value needed for verification and pass this
>> in a new header to the back-end.  Then, the cookie server could verify
>> cookie TB signatures in the back-end.  This scheme has several advantages:
> _______________________________________________
> Unbearable mailing list

*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*