Re: [Unbearable] HTTPS Token Binding with TLS Terminating Reverse Proxies
Amos Jeffries <squid3@treenet.co.nz> Fri, 14 July 2017 21:24 UTC
Return-Path: <squid3@treenet.co.nz>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0FBC129B33 for <unbearable@ietfa.amsl.com>; Fri, 14 Jul 2017 14:24:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.109
X-Spam-Level:
X-Spam-Status: No, score=-1.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RDNS_NONE=0.793, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vyuzKL0IupgI for <unbearable@ietfa.amsl.com>; Fri, 14 Jul 2017 14:23:59 -0700 (PDT)
Received: from treenet.co.nz (unknown [121.99.228.82]) by ietfa.amsl.com (Postfix) with ESMTP id 2DD63129AA8 for <unbearable@ietf.org>; Fri, 14 Jul 2017 14:23:56 -0700 (PDT)
Received: from [192.168.137.92] (unknown [121.98.43.66]) by treenet.co.nz (Postfix) with ESMTPA id 9A38666044C; Sat, 15 Jul 2017 09:23:53 +1200 (NZST)
To: Brian Campbell <bcampbell@pingidentity.com>, IETF Tokbind WG <unbearable@ietf.org>
References: <CA+k3eCTV7Lpn5j-7agVQ_q9iHhx397WdNf6Ys8fwZD+RJgGMzg@mail.gmail.com>
From: Amos Jeffries <squid3@treenet.co.nz>
Message-ID: <b196fedc-15d9-6de1-cda2-7d0908b813db@treenet.co.nz>
Date: Sat, 15 Jul 2017 09:23:52 +1200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <CA+k3eCTV7Lpn5j-7agVQ_q9iHhx397WdNf6Ys8fwZD+RJgGMzg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/ZhvPHIjnchJ6H-9xAnMP5YXR9nc>
Subject: Re: [Unbearable] HTTPS Token Binding with TLS Terminating Reverse Proxies
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jul 2017 21:24:01 -0000
On 15/07/17 04:59, Brian Campbell wrote: > Just a not-so-subtle reminder that HTTPS Token Binding with TLS > Terminating Reverse Proxies is one of the agenda items for Monday's > meeting in Prague and it would be great if there was some familiarity > with it going into the meeting. It's relativity short as drafts go, if > you're looking for something to read en route to the meeting: > https://tools.ietf.org/html/draft-campbell-tokbind-ttrp-00 > <https://tools.ietf.org/html/draft-campbell-tokbind-ttrp-00> > I wont be at the meeting. But reviewing anyway. Several of the processing requirements in section 2.2 appear to be re-inventing already existing HTTP mechanisms without referencing them, nor integrating with them to support proxies that only implement HTTP - not TB. Firstly; Section 2.2 bullet item #1 places a normative MUST requirement on removing "Sec-Token-Binding" header from the clients request when forwarding. Since the TLS connection is one "hop" this duplicates HTTP hop-by-hop header requirements. Such headers are governed by RFC 7230 section 6.1 and required (also a normative MUST) to be listed in the HTTP Connection header by the sender. Such that even if the receiving proxy is not implementing this specification, it will still fail-safe by removing the header. Secondly; Section 2.2 bullet item #4 and the paragraph following it define the same behaviour for the "Provided-Token-Binding-ID" and "Referred-Token-Binding-ID" headers. These two are not such a clear case of hop-by-hop since without the TLS there is the possibility of other hops between reverse-proxy and origin server. I believe it still worth at least referencing the HTTP Connection header as something that SHOULD be used to improve secure behaviour for messages containing those headers - the exception being when there are known to be multiple HTTP hops within the backend network. NP: I know the TLS layer should be negotiating use of TB, so the sender "knows" the recipient implements this draft. But there is a possibility of the TLS decryption being done by other software than the HTTP processing, or opaquely relayed by an agent that negotiates TB, while the HTTP is processed by a proxy that does not support it. Use of the HTTP Connection header ensure the TB security is maintained even in those type of misconfiguration scenarios. AYJ
- [Unbearable] HTTPS Token Binding with TLS Termina… Brian Campbell
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Amos Jeffries
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Brian Campbell
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Piotr Sikora
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Brian Campbell
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Piotr Sikora
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Brian Campbell
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Piotr Sikora
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Brian Campbell