IETF Logo Mail Archive

Re: [Unbearable] HTTPS Token Binding with TLS Terminating Reverse Proxies

Brian Campbell <bcampbell@pingidentity.com> Tue, 18 July 2017 05:17 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8892D12706D for <unbearable@ietfa.amsl.com>; Mon, 17 Jul 2017 22:17:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZVADNNdeNrxt for <unbearable@ietfa.amsl.com>; Mon, 17 Jul 2017 22:17:31 -0700 (PDT)
Received: from mail-pf0-x231.google.com (mail-pf0-x231.google.com [IPv6:2607:f8b0:400e:c00::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01F0D126557 for <unbearable@ietf.org>; Mon, 17 Jul 2017 22:17:31 -0700 (PDT)
Received: by mail-pf0-x231.google.com with SMTP id e199so5678404pfh.2 for <unbearable@ietf.org>; Mon, 17 Jul 2017 22:17:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=fGDXqVQISF9emqwy05tL7ccqxeLR62/uIEPXVxJ+hf4=; b=hJzMPwaJl9PURqG0zhYz3agt9gD2aAYnv1r1AazBqwNh60DjxOhoL7KlOyz5Pv02D3 EG4tK+isuEXIQR85RQtuM1OX6eE2a2QO0ivCq2Aun8DbLmzk5/b9jnWG6qBFHcfD0NKa xioB6WOzScmLp3BlL0xu1yNjjRK8DEv0mOWOM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=fGDXqVQISF9emqwy05tL7ccqxeLR62/uIEPXVxJ+hf4=; b=q1+X+4cBiYUs1N2UlPiC/nVeh4dySHpurcqZcq/FunyAHK2Kaajz9HqBVU0CZiKNLr tCv9r7+ZQhR+VXFIwAZbLYy9SVwIGSv9Fs7XvPQj4WSfQwarl0x0THGGJ4XxEh6Z6DEg qubRT1u/HRo/A/QLvLEmi54oAqJ8FmxxEPT+XQYa/fgdX//kCc3IL5qVn3/M/HzWLuIo sGdPvtzKf+dxBHja78HkoEjB217EN5KsMJyyrKNtTElVVWr2VzDlO26t6zKlsWuMBNnd OD294LQjqpMiLTW34wpdfsMo+QMVpG+zhAKJMhQaNvN9HBjswVIY3DazRpnyUsoEmm8F 5aKA==
X-Gm-Message-State: AIVw112oI8/d9TrRPSIMJceMhMWS2O6ebeO2CA154drsL8mUmwaZAKHI 3ac+ZvA+IhHQNETTKft6Tu4hwY6+YVOfnM1GMp2DxSQzi2p7iy2qISDSvnaemXAG6zMdiEI+paD PxUks9U3+xWo=
X-Received: by 10.84.179.36 with SMTP id a33mr1275237plc.144.1500355050511; Mon, 17 Jul 2017 22:17:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.145.87 with HTTP; Mon, 17 Jul 2017 22:16:59 -0700 (PDT)
In-Reply-To: <CAF-CG+KUb9rz5je0JEdr-6fwjegpbj_t8fh8KcREpUsXVcAhmQ@mail.gmail.com>
References: <CA+k3eCTV7Lpn5j-7agVQ_q9iHhx397WdNf6Ys8fwZD+RJgGMzg@mail.gmail.com> <CAF-CG+LLji-peqisnw4MfFPe6dWqYOGEYnOK_7jhPyonVUct6g@mail.gmail.com> <CA+k3eCTPv-90jkig2zfT-bXAxh-p4-tbZOn6Dfzn80G7m5UCYw@mail.gmail.com> <CAF-CG+JOZCsgxdKH+c6GCMuuh_kDL30chvLHxZQ1+UJPJ1Zxew@mail.gmail.com> <CA+k3eCSxEZyL60p=fLjrEniLU8kxy3CXs0sZftg-s-COtESwTA@mail.gmail.com> <CAF-CG+KUb9rz5je0JEdr-6fwjegpbj_t8fh8KcREpUsXVcAhmQ@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 18 Jul 2017 07:16:59 +0200
Message-ID: <CA+k3eCSzj8kuX2t-ja8wUMAhae9DPeJ9OSyrzOTb1nQTxsErwQ@mail.gmail.com>
To: Piotr Sikora <piotrsikora@google.com>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c13ead0d2bd6d055490a1f3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/XlnZhQSAF52YnCU4zV2DOo7QThU>
Subject: Re: [Unbearable] HTTPS Token Binding with TLS Terminating Reverse Proxies
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 05:17:33 -0000

Fair enough. I'll plan to remove the sentence in a future draft.

Thanks for the review and feedback, Piotr.

On Mon, Jul 17, 2017 at 3:35 PM, Piotr Sikora <piotrsikora@google.com>
wrote:

> Well, it's kind of given that requests are sent only to backends that
> are configured for a particular domain. That applies to whole
> requests, and not only to Provided-Token-Binding-ID header, so I think
> this is unnecessary restriction that will only confuse readers.
>
> Best regards,
> Piotr Sikora
>
> On Mon, Jul 17, 2017 at 2:29 PM, Brian Campbell
> <bcampbell@pingidentity.com> wrote:
> > For any given domain, a CDN would know the origin server(s) where it
> should
> > forward requests it cannot fulfill, right?
> >
> > That's what I was trying to get at in the statement in the draft - that
> the
> > reverse proxy only dispatch requests to origin sever(s) known/configured
> to
> > be associated with the domain of the original request. Perhaps "trust"
> isn't
> > the right word and that sentence can be reworded to be more reflective of
> > that? Or is such a restriction/requirement so implicit in the deployment
> of
> > any reverse proxy so doesn't need any treatment in this document?
> >
> > On Mon, Jul 17, 2017 at 1:18 PM, Piotr Sikora <piotrsikora@google.com>
> > wrote:
> >>
> >> Hey Brian,
> >> from the CDN point of view, all backend servers are untrusted, but I
> >> don't see any reason why CDNs shouldn't forward
> >> Provided-Token-Binding-ID to the origin servers.
> >>
> >> Also, Token Binding is supposed to protect Cookies (among other
> >> things), which don't have such restriction, so this seems unnecessary.
> >>
> >> Best regards,
> >> Piotr Sikora
> >>
> >> On Mon, Jul 17, 2017 at 12:53 PM, Brian Campbell
> >> <bcampbell@pingidentity.com> wrote:
> >> > To be honest, I didn't have a specific attack vector or
> security/privacy
> >> > implication in mind around that. It just seemed like something that
> >> > should
> >> > generally be part of reverse proxy set up. Do you think it's too
> >> > restrictive/perspective? Or do you know of some use-case where a
> reverse
> >> > proxy wouldn't know/trust the servers that it sits in front of?
> >> >
> >> > On Mon, Jul 17, 2017 at 12:37 PM, Piotr Sikora <
> piotrsikora@google.com>
> >> > wrote:
> >> >>
> >> >> Hey Brian,
> >> >> looks good, thanks for working on that!
> >> >>
> >> >> One question:
> >> >>
> >> >> >   Reverse proxies SHOULD only add the headers to requests that are
> >> >> >   forwarded to trusted backend servers.
> >> >>
> >> >> Why? What's the attack vector, security and/or privacy implications
> >> >> here?
> >> >>
> >> >> Best regards,
> >> >> Piotr Sikora
> >> >>
> >> >> On Fri, Jul 14, 2017 at 6:59 PM, Brian Campbell
> >> >> <bcampbell@pingidentity.com> wrote:
> >> >> > Just a not-so-subtle reminder that HTTPS Token Binding with TLS
> >> >> > Terminating
> >> >> > Reverse Proxies is one of the agenda items for Monday's meeting in
> >> >> > Prague
> >> >> > and it would be great if there was some familiarity with it going
> >> >> > into
> >> >> > the
> >> >> > meeting. It's relativity short as drafts go, if you're looking for
> >> >> > something
> >> >> > to read en route to the meeting:
> >> >> > https://tools.ietf.org/html/draft-campbell-tokbind-ttrp-00
> >> >> >
> >> >> > CONFIDENTIALITY NOTICE: This email may contain confidential and
> >> >> > privileged
> >> >> > material for the sole use of the intended recipient(s). Any review,
> >> >> > use,
> >> >> > distribution or disclosure by others is strictly prohibited.  If
> you
> >> >> > have
> >> >> > received this communication in error, please notify the sender
> >> >> > immediately
> >> >> > by e-mail and delete the message and any file attachments from your
> >> >> > computer. Thank you.
> >> >> > _______________________________________________
> >> >> > Unbearable mailing list
> >> >> > Unbearable@ietf.org
> >> >> > https://www.ietf.org/mailman/listinfo/unbearable
> >> >> >
> >> >
> >> >
> >> >
> >> > CONFIDENTIALITY NOTICE: This email may contain confidential and
> >> > privileged
> >> > material for the sole use of the intended recipient(s). Any review,
> use,
> >> > distribution or disclosure by others is strictly prohibited.  If you
> >> > have
> >> > received this communication in error, please notify the sender
> >> > immediately
> >> > by e-mail and delete the message and any file attachments from your
> >> > computer. Thank you.
> >
> >
> >
> > CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged
> > material for the sole use of the intended recipient(s). Any review, use,
> > distribution or disclosure by others is strictly prohibited.  If you have
> > received this communication in error, please notify the sender
> immediately
> > by e-mail and delete the message and any file attachments from your
> > computer. Thank you.
>

-- 
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*

v2.23.0 | Report a Bug | By Email