IETF Logo Mail Archive

Re: [Unbearable] HTTPS Token Binding with TLS Terminating Reverse Proxies

Brian Campbell <bcampbell@pingidentity.com> Mon, 17 July 2017 12:30 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C257C131B6C for <unbearable@ietfa.amsl.com>; Mon, 17 Jul 2017 05:30:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w_UbZwuSE8TV for <unbearable@ietfa.amsl.com>; Mon, 17 Jul 2017 05:30:16 -0700 (PDT)
Received: from mail-pf0-x22e.google.com (mail-pf0-x22e.google.com [IPv6:2607:f8b0:400e:c00::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DAE8131668 for <unbearable@ietf.org>; Mon, 17 Jul 2017 05:30:11 -0700 (PDT)
Received: by mail-pf0-x22e.google.com with SMTP id q85so75816587pfq.1 for <unbearable@ietf.org>; Mon, 17 Jul 2017 05:30:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=v90piOS4TF2AyIUrN+iWIL6PxNn5WfuEOf8XpdA1XN4=; b=Wy1jmOCbSZLOEPb9JLcDr96icC69V+Jv6DTti5ufjqv1G2Dr+JMCuBqeqbI6MoS9Ib mWExVEqvJqAcrp34uMf702VApFFhpRipNoxD4id6DFzidboXAfsxZvgyv5UbgXLSCepE XSt4tPBxAfUHzBjOEBUapknbm9Ufx4SEOnnCQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=v90piOS4TF2AyIUrN+iWIL6PxNn5WfuEOf8XpdA1XN4=; b=BGhsobG39+5HEfC3IEgKil2gEKy2gaK0T4Q9sbgSy38pPwUujKkhYeNFaFqwddmC+M ciAA0SSD30mR9ch+8pf4nx2S0kPe/PyPVUOdwCuyJjvWUBsiMPbAKsRwFsoI6mwrtTGG xumi0dlnlwNdjrF5bkrFot1fOD1DZrchTXEbj3jNKM0STEKhM1WC82Xsz7F2L5ZBIl/L gxLyQuSHYiLNdcsgue0qGT3lb/+C1gPow8A/dOZUGLaAVlVsI7esZmRdRaiWy6QbEnsh rRJrPik7o1rBDdnXu4DMmUuFCW2FlLYmKdT6PwHA2CQvT95wbAmxvqD3+b/xKuj5zubA UWpg==
X-Gm-Message-State: AIVw111W6dhSy5nJ4vWNZlLuC/SL6bJ59S2gJ3iWOn8aWk5S4LqoFfh6 hH9/8B7ga5rx04otpOnnDHKdRTXdvzdapktaFTWJqJsWcN8qD+jMmSglPHqn/w6xMJ9eAkQSUzt kcVx5LDSoCDY=
X-Received: by 10.98.217.10 with SMTP id s10mr978898pfg.204.1500294610820; Mon, 17 Jul 2017 05:30:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.145.87 with HTTP; Mon, 17 Jul 2017 05:29:40 -0700 (PDT)
In-Reply-To: <CAF-CG+JOZCsgxdKH+c6GCMuuh_kDL30chvLHxZQ1+UJPJ1Zxew@mail.gmail.com>
References: <CA+k3eCTV7Lpn5j-7agVQ_q9iHhx397WdNf6Ys8fwZD+RJgGMzg@mail.gmail.com> <CAF-CG+LLji-peqisnw4MfFPe6dWqYOGEYnOK_7jhPyonVUct6g@mail.gmail.com> <CA+k3eCTPv-90jkig2zfT-bXAxh-p4-tbZOn6Dfzn80G7m5UCYw@mail.gmail.com> <CAF-CG+JOZCsgxdKH+c6GCMuuh_kDL30chvLHxZQ1+UJPJ1Zxew@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 17 Jul 2017 14:29:40 +0200
Message-ID: <CA+k3eCSxEZyL60p=fLjrEniLU8kxy3CXs0sZftg-s-COtESwTA@mail.gmail.com>
To: Piotr Sikora <piotrsikora@google.com>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Content-Type: multipart/alternative; boundary="f403045cc3a2563dc00554828fc9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/UkR3Sli8vNngA07hWxJSZlU4TBE>
Subject: Re: [Unbearable] HTTPS Token Binding with TLS Terminating Reverse Proxies
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 12:30:25 -0000

For any given domain, a CDN would know the origin server(s) where it should
forward requests it cannot fulfill, right?

That's what I was trying to get at in the statement in the draft - that the
reverse proxy only dispatch requests to origin sever(s) known/configured to
be associated with the domain of the original request. Perhaps "trust"
isn't the right word and that sentence can be reworded to be more
reflective of that? Or is such a restriction/requirement so implicit in the
deployment of any reverse proxy so doesn't need any treatment in this
document?

On Mon, Jul 17, 2017 at 1:18 PM, Piotr Sikora <piotrsikora@google.com>
wrote:

> Hey Brian,
> from the CDN point of view, all backend servers are untrusted, but I
> don't see any reason why CDNs shouldn't forward
> Provided-Token-Binding-ID to the origin servers.
>
> Also, Token Binding is supposed to protect Cookies (among other
> things), which don't have such restriction, so this seems unnecessary.
>
> Best regards,
> Piotr Sikora
>
> On Mon, Jul 17, 2017 at 12:53 PM, Brian Campbell
> <bcampbell@pingidentity.com> wrote:
> > To be honest, I didn't have a specific attack vector or security/privacy
> > implication in mind around that. It just seemed like something that
> should
> > generally be part of reverse proxy set up. Do you think it's too
> > restrictive/perspective? Or do you know of some use-case where a reverse
> > proxy wouldn't know/trust the servers that it sits in front of?
> >
> > On Mon, Jul 17, 2017 at 12:37 PM, Piotr Sikora <piotrsikora@google.com>
> > wrote:
> >>
> >> Hey Brian,
> >> looks good, thanks for working on that!
> >>
> >> One question:
> >>
> >> >   Reverse proxies SHOULD only add the headers to requests that are
> >> >   forwarded to trusted backend servers.
> >>
> >> Why? What's the attack vector, security and/or privacy implications
> here?
> >>
> >> Best regards,
> >> Piotr Sikora
> >>
> >> On Fri, Jul 14, 2017 at 6:59 PM, Brian Campbell
> >> <bcampbell@pingidentity.com> wrote:
> >> > Just a not-so-subtle reminder that HTTPS Token Binding with TLS
> >> > Terminating
> >> > Reverse Proxies is one of the agenda items for Monday's meeting in
> >> > Prague
> >> > and it would be great if there was some familiarity with it going into
> >> > the
> >> > meeting. It's relativity short as drafts go, if you're looking for
> >> > something
> >> > to read en route to the meeting:
> >> > https://tools.ietf.org/html/draft-campbell-tokbind-ttrp-00
> >> >
> >> > CONFIDENTIALITY NOTICE: This email may contain confidential and
> >> > privileged
> >> > material for the sole use of the intended recipient(s). Any review,
> use,
> >> > distribution or disclosure by others is strictly prohibited.  If you
> >> > have
> >> > received this communication in error, please notify the sender
> >> > immediately
> >> > by e-mail and delete the message and any file attachments from your
> >> > computer. Thank you.
> >> > _______________________________________________
> >> > Unbearable mailing list
> >> > Unbearable@ietf.org
> >> > https://www.ietf.org/mailman/listinfo/unbearable
> >> >
> >
> >
> >
> > CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged
> > material for the sole use of the intended recipient(s). Any review, use,
> > distribution or disclosure by others is strictly prohibited.  If you have
> > received this communication in error, please notify the sender
> immediately
> > by e-mail and delete the message and any file attachments from your
> > computer. Thank you.
>

-- 
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*

v2.23.0 | Report a Bug | By Email