Re: [Unbearable] HTTPS Token Binding with TLS Terminating Reverse Proxies
Brian Campbell <bcampbell@pingidentity.com> Mon, 17 July 2017 12:30 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C257C131B6C for <unbearable@ietfa.amsl.com>; Mon, 17 Jul 2017 05:30:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w_UbZwuSE8TV for <unbearable@ietfa.amsl.com>; Mon, 17 Jul 2017 05:30:16 -0700 (PDT)
Received: from mail-pf0-x22e.google.com (mail-pf0-x22e.google.com [IPv6:2607:f8b0:400e:c00::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DAE8131668 for <unbearable@ietf.org>; Mon, 17 Jul 2017 05:30:11 -0700 (PDT)
Received: by mail-pf0-x22e.google.com with SMTP id q85so75816587pfq.1 for <unbearable@ietf.org>; Mon, 17 Jul 2017 05:30:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=v90piOS4TF2AyIUrN+iWIL6PxNn5WfuEOf8XpdA1XN4=; b=Wy1jmOCbSZLOEPb9JLcDr96icC69V+Jv6DTti5ufjqv1G2Dr+JMCuBqeqbI6MoS9Ib mWExVEqvJqAcrp34uMf702VApFFhpRipNoxD4id6DFzidboXAfsxZvgyv5UbgXLSCepE XSt4tPBxAfUHzBjOEBUapknbm9Ufx4SEOnnCQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=v90piOS4TF2AyIUrN+iWIL6PxNn5WfuEOf8XpdA1XN4=; b=BGhsobG39+5HEfC3IEgKil2gEKy2gaK0T4Q9sbgSy38pPwUujKkhYeNFaFqwddmC+M ciAA0SSD30mR9ch+8pf4nx2S0kPe/PyPVUOdwCuyJjvWUBsiMPbAKsRwFsoI6mwrtTGG xumi0dlnlwNdjrF5bkrFot1fOD1DZrchTXEbj3jNKM0STEKhM1WC82Xsz7F2L5ZBIl/L gxLyQuSHYiLNdcsgue0qGT3lb/+C1gPow8A/dOZUGLaAVlVsI7esZmRdRaiWy6QbEnsh rRJrPik7o1rBDdnXu4DMmUuFCW2FlLYmKdT6PwHA2CQvT95wbAmxvqD3+b/xKuj5zubA UWpg==
X-Gm-Message-State: AIVw111W6dhSy5nJ4vWNZlLuC/SL6bJ59S2gJ3iWOn8aWk5S4LqoFfh6 hH9/8B7ga5rx04otpOnnDHKdRTXdvzdapktaFTWJqJsWcN8qD+jMmSglPHqn/w6xMJ9eAkQSUzt kcVx5LDSoCDY=
X-Received: by 10.98.217.10 with SMTP id s10mr978898pfg.204.1500294610820; Mon, 17 Jul 2017 05:30:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.145.87 with HTTP; Mon, 17 Jul 2017 05:29:40 -0700 (PDT)
In-Reply-To: <CAF-CG+JOZCsgxdKH+c6GCMuuh_kDL30chvLHxZQ1+UJPJ1Zxew@mail.gmail.com>
References: <CA+k3eCTV7Lpn5j-7agVQ_q9iHhx397WdNf6Ys8fwZD+RJgGMzg@mail.gmail.com> <CAF-CG+LLji-peqisnw4MfFPe6dWqYOGEYnOK_7jhPyonVUct6g@mail.gmail.com> <CA+k3eCTPv-90jkig2zfT-bXAxh-p4-tbZOn6Dfzn80G7m5UCYw@mail.gmail.com> <CAF-CG+JOZCsgxdKH+c6GCMuuh_kDL30chvLHxZQ1+UJPJ1Zxew@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 17 Jul 2017 14:29:40 +0200
Message-ID: <CA+k3eCSxEZyL60p=fLjrEniLU8kxy3CXs0sZftg-s-COtESwTA@mail.gmail.com>
To: Piotr Sikora <piotrsikora@google.com>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Content-Type: multipart/alternative; boundary="f403045cc3a2563dc00554828fc9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/UkR3Sli8vNngA07hWxJSZlU4TBE>
Subject: Re: [Unbearable] HTTPS Token Binding with TLS Terminating Reverse Proxies
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 12:30:25 -0000
For any given domain, a CDN would know the origin server(s) where it should forward requests it cannot fulfill, right? That's what I was trying to get at in the statement in the draft - that the reverse proxy only dispatch requests to origin sever(s) known/configured to be associated with the domain of the original request. Perhaps "trust" isn't the right word and that sentence can be reworded to be more reflective of that? Or is such a restriction/requirement so implicit in the deployment of any reverse proxy so doesn't need any treatment in this document? On Mon, Jul 17, 2017 at 1:18 PM, Piotr Sikora <piotrsikora@google.com> wrote: > Hey Brian, > from the CDN point of view, all backend servers are untrusted, but I > don't see any reason why CDNs shouldn't forward > Provided-Token-Binding-ID to the origin servers. > > Also, Token Binding is supposed to protect Cookies (among other > things), which don't have such restriction, so this seems unnecessary. > > Best regards, > Piotr Sikora > > On Mon, Jul 17, 2017 at 12:53 PM, Brian Campbell > <bcampbell@pingidentity.com> wrote: > > To be honest, I didn't have a specific attack vector or security/privacy > > implication in mind around that. It just seemed like something that > should > > generally be part of reverse proxy set up. Do you think it's too > > restrictive/perspective? Or do you know of some use-case where a reverse > > proxy wouldn't know/trust the servers that it sits in front of? > > > > On Mon, Jul 17, 2017 at 12:37 PM, Piotr Sikora <piotrsikora@google.com> > > wrote: > >> > >> Hey Brian, > >> looks good, thanks for working on that! > >> > >> One question: > >> > >> > Reverse proxies SHOULD only add the headers to requests that are > >> > forwarded to trusted backend servers. > >> > >> Why? What's the attack vector, security and/or privacy implications > here? > >> > >> Best regards, > >> Piotr Sikora > >> > >> On Fri, Jul 14, 2017 at 6:59 PM, Brian Campbell > >> <bcampbell@pingidentity.com> wrote: > >> > Just a not-so-subtle reminder that HTTPS Token Binding with TLS > >> > Terminating > >> > Reverse Proxies is one of the agenda items for Monday's meeting in > >> > Prague > >> > and it would be great if there was some familiarity with it going into > >> > the > >> > meeting. It's relativity short as drafts go, if you're looking for > >> > something > >> > to read en route to the meeting: > >> > https://tools.ietf.org/html/draft-campbell-tokbind-ttrp-00 > >> > > >> > CONFIDENTIALITY NOTICE: This email may contain confidential and > >> > privileged > >> > material for the sole use of the intended recipient(s). Any review, > use, > >> > distribution or disclosure by others is strictly prohibited. If you > >> > have > >> > received this communication in error, please notify the sender > >> > immediately > >> > by e-mail and delete the message and any file attachments from your > >> > computer. Thank you. > >> > _______________________________________________ > >> > Unbearable mailing list > >> > Unbearable@ietf.org > >> > https://www.ietf.org/mailman/listinfo/unbearable > >> > > > > > > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged > > material for the sole use of the intended recipient(s). Any review, use, > > distribution or disclosure by others is strictly prohibited. If you have > > received this communication in error, please notify the sender > immediately > > by e-mail and delete the message and any file attachments from your > > computer. Thank you. > -- *CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.*
- [Unbearable] HTTPS Token Binding with TLS Termina… Brian Campbell
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Amos Jeffries
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Brian Campbell
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Piotr Sikora
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Brian Campbell
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Piotr Sikora
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Brian Campbell
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Piotr Sikora
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Brian Campbell