Re: [Unbearable] HTTPS Token Binding with TLS Terminating Reverse Proxies
Brian Campbell <bcampbell@pingidentity.com> Mon, 17 July 2017 10:54 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BDA5131838 for <unbearable@ietfa.amsl.com>; Mon, 17 Jul 2017 03:54:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Xpj8et7afek for <unbearable@ietfa.amsl.com>; Mon, 17 Jul 2017 03:54:01 -0700 (PDT)
Received: from mail-pg0-x232.google.com (mail-pg0-x232.google.com [IPv6:2607:f8b0:400e:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61C02120725 for <unbearable@ietf.org>; Mon, 17 Jul 2017 03:54:01 -0700 (PDT)
Received: by mail-pg0-x232.google.com with SMTP id 123so4846015pgj.1 for <unbearable@ietf.org>; Mon, 17 Jul 2017 03:54:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=SQYhdgFKG45bwCmbDxtHK7P+18ppTJh4mwsCnx2ff98=; b=cPjmbhwgqTpMywgkVMbgAcHIHlbgr3boPFLhQy9GHg3iKaMGipDunNT5lm3Ols92JL pEFGAxSGGaYyEolKfODCSQKOgw2ZJYUxBG1aHpgNNc3htv7iYwAEXj8Js03HfJQA0KGV 8Xcg0E905ZVX4nLhR40hfNFyplTHB1rx0u8KQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=SQYhdgFKG45bwCmbDxtHK7P+18ppTJh4mwsCnx2ff98=; b=HGefrkhzNGZ16NUxAb4hUxUA2BmcO4wf4wMLduuCjKu/vgPbFYJT1BHSHjHsz+0RYj TzqptSFV+A0JhGxnlRJGRgHZBg6yWEIZXWFPhkPU0Qebv1nPP5U1+q27BoQhAfIIEdrV p8J6XvUr2hdg6Sicakm6eVJEUI8Cg0CC+sz9kaSQ2BWWIZLsp+bUMZeY7pcx2fvEFqO+ E64k+zL1PiA1pofmyJ2Ta8EVJwKdC5xnOe9bMOXcFlbnh7sLtr53e14/NOINcK0fDtAJ 35XPpzxYvkQNj4RnuNVKFhfQIJjEn/T1kMA8+jzetRekqn3DT+ha0xsJZ+cGvunpp5Io 313g==
X-Gm-Message-State: AIVw113y2clzll4T7eRDhl8p5RTRNlv/IKozursa7/B5BiPIOfh4FcDj cI9ZiVFFBeeJw5VxHImig6MK6fUFW5UJ6KiMO5UCOOiyO+jfLxCmCs7P2n0uv/SVN8wHen1EQva 1fmaz/hxXF6U=
X-Received: by 10.84.237.15 with SMTP id s15mr30252772plk.100.1500288841000; Mon, 17 Jul 2017 03:54:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.145.87 with HTTP; Mon, 17 Jul 2017 03:53:30 -0700 (PDT)
In-Reply-To: <CAF-CG+LLji-peqisnw4MfFPe6dWqYOGEYnOK_7jhPyonVUct6g@mail.gmail.com>
References: <CA+k3eCTV7Lpn5j-7agVQ_q9iHhx397WdNf6Ys8fwZD+RJgGMzg@mail.gmail.com> <CAF-CG+LLji-peqisnw4MfFPe6dWqYOGEYnOK_7jhPyonVUct6g@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 17 Jul 2017 12:53:30 +0200
Message-ID: <CA+k3eCTPv-90jkig2zfT-bXAxh-p4-tbZOn6Dfzn80G7m5UCYw@mail.gmail.com>
To: Piotr Sikora <piotrsikora@google.com>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c1ceb7e6dd7160554813715"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/ZvkoPKbalZOT1jfxTWQLwjQlS4c>
Subject: Re: [Unbearable] HTTPS Token Binding with TLS Terminating Reverse Proxies
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 10:54:03 -0000
To be honest, I didn't have a specific attack vector or security/privacy implication in mind around that. It just seemed like something that should generally be part of reverse proxy set up. Do you think it's too restrictive/perspective? Or do you know of some use-case where a reverse proxy wouldn't know/trust the servers that it sits in front of? On Mon, Jul 17, 2017 at 12:37 PM, Piotr Sikora <piotrsikora@google.com> wrote: > Hey Brian, > looks good, thanks for working on that! > > One question: > > > Reverse proxies SHOULD only add the headers to requests that are > > forwarded to trusted backend servers. > > Why? What's the attack vector, security and/or privacy implications here? > > Best regards, > Piotr Sikora > > On Fri, Jul 14, 2017 at 6:59 PM, Brian Campbell > <bcampbell@pingidentity.com> wrote: > > Just a not-so-subtle reminder that HTTPS Token Binding with TLS > Terminating > > Reverse Proxies is one of the agenda items for Monday's meeting in Prague > > and it would be great if there was some familiarity with it going into > the > > meeting. It's relativity short as drafts go, if you're looking for > something > > to read en route to the meeting: > > https://tools.ietf.org/html/draft-campbell-tokbind-ttrp-00 > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged > > material for the sole use of the intended recipient(s). Any review, use, > > distribution or disclosure by others is strictly prohibited. If you have > > received this communication in error, please notify the sender > immediately > > by e-mail and delete the message and any file attachments from your > > computer. Thank you. > > _______________________________________________ > > Unbearable mailing list > > Unbearable@ietf.org > > https://www.ietf.org/mailman/listinfo/unbearable > > > -- *CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.*
- [Unbearable] HTTPS Token Binding with TLS Termina… Brian Campbell
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Amos Jeffries
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Brian Campbell
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Piotr Sikora
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Brian Campbell
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Piotr Sikora
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Brian Campbell
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Piotr Sikora
- Re: [Unbearable] HTTPS Token Binding with TLS Ter… Brian Campbell