Re: [Unbearable] sec-token-binding header in the wild
Nick Harper <nharper@google.com> Wed, 15 February 2017 23:50 UTC
Return-Path: <nharper@google.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81248129C00 for <unbearable@ietfa.amsl.com>; Wed, 15 Feb 2017 15:50:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uc1I7p8kNEUd for <unbearable@ietfa.amsl.com>; Wed, 15 Feb 2017 15:50:23 -0800 (PST)
Received: from mail-yb0-x234.google.com (mail-yb0-x234.google.com [IPv6:2607:f8b0:4002:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90CFC129C02 for <unbearable@ietf.org>; Wed, 15 Feb 2017 15:50:19 -0800 (PST)
Received: by mail-yb0-x234.google.com with SMTP id j82so475084ybg.1 for <unbearable@ietf.org>; Wed, 15 Feb 2017 15:50:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=7WGQof0UAiG9mu56ifO1e1Wq5htBcKYOn8fbpr7M+mA=; b=OQhWgbMWOl9LpON1if6LcjosLrUDx5NL6cx9TwZeKKqUsl4TsbLZeUNin/YxQuebdy 9BzyZkzqV1MVq/wHK/cRxMmDz0hABl2EXStr/BOe1GyvGLagxpr4oihGC0f/Dkx2K63w /9C3vv50sQZOK+t4PtmRtQuGzMbArvA0GlFE5TWXu5pnu8McbygFkZpX0SnmYhRH38W4 p3fSEih7xNhXUHpJ0vIwBFAFFDIm29cv5hVlp8Nm4NFCj9L9qbK8Cgifo3H5154cq6Nv 0kjqaHsvsQzVbjHlVesyKr2mJnmAXfky43jaUsaXAVhcxYzR51oFUvlKbtv4thGYPsKH nCWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7WGQof0UAiG9mu56ifO1e1Wq5htBcKYOn8fbpr7M+mA=; b=pQT0I+dDcoEvANNrWrWMerauyqLUbmzwHn2h2oqvgu9l2fiaAVRrLfqooaL4dCEHq0 HDSmLS7Yts3iMeyBBHYTfYzVKUbzWA3vD3DGl8lWrS81OfsRmt2LKyJCV1KfDkh2qhcQ w34tYj/4BnFsI5dTOtSUytrXIfcjM+I2a58sei+a0iskDqlvYGVHn773sVGaoVPLGdQd Fon8V7nuhz0qZMjGpmpGm6sWojeNIV0LOzzfp+yZUzN0rHzybvhE8bfLXfJLej6JER6l FJgdxS0eg7y5inXIvBZQEnldH3atTPuEK86Nrr18r4e4dn0r63QzvvbgtX80AO6QF4qc 87nA==
X-Gm-Message-State: AMke39k6JQetrDT6lGIc4wbFT74jGBObdDjRm4t2kcrx6oWIWcWhPejOSxaeTmOGnZxkFGFjSztvIL+ZIoewnWe4
X-Received: by 10.37.248.13 with SMTP id u13mr27834527ybd.98.1487202618628; Wed, 15 Feb 2017 15:50:18 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.161.87 with HTTP; Wed, 15 Feb 2017 15:49:58 -0800 (PST)
In-Reply-To: <0A2CF74F-D5FE-48EF-B9AC-0F06BA1DE1D7@ve7jtb.com>
References: <0d90fcf0-0ec7-448c-d0ad-0385062400b9@KingsMountain.com> <06A6B2F5-9026-4B30-A099-EB3B8F8AEFB4@ve7jtb.com> <CACdeXi+3dnOcnWffc3wP2WMs3VhWGcmvG2StXKM1JZ8bMVebgQ@mail.gmail.com> <0A2CF74F-D5FE-48EF-B9AC-0F06BA1DE1D7@ve7jtb.com>
From: Nick Harper <nharper@google.com>
Date: Wed, 15 Feb 2017 15:49:58 -0800
Message-ID: <CACdeXiJobbVzGr13-FO4YmO8r3Jmsc_y4Lp1ME_sA1MwZtThPg@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="f403045dc640cb4b8805489a57da"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/dRdgOwi5EFK7YvDV9rlkrfeKYus>
Cc: IETF TokBind WG <unbearable@ietf.org>, =JeffH Hodges <Jeff.Hodges@kingsmountain.com>
Subject: Re: [Unbearable] sec-token-binding header in the wild
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Feb 2017 23:50:25 -0000
I'm using the network tab of chrome's built-in dev tools to view the headers (Ctrl+Shift+I, or kebab menu > more tools > developer tools). As long as the flag is flipped in chrome://flags, it should be negotiating token binding, but I don't know how that extension might be interfering. On Wed, Feb 15, 2017 at 3:46 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > I tried 56.0.2924.87 and 58.0.3013.0 OSX and 58,0,3007 (ChromeOS) with > no luck. > > It might be the extension to capture headers that is messing me up. > > What are you using. I used the HTTP trace extension. > > John B. > > On Feb 15, 2017, at 8:36 PM, Nick Harper <nharper@google.com> wrote: > > I see the sec-token-binding header for both www.google.com and > www.chromium.org from chrome on os x (version 56.0.2924.87). > > On Wed, Feb 15, 2017 at 3:29 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > >> Strange I see them on both sites with Edge. >> >> With chrome on osx and windows I am not seeing them after turning on the >> flag and restarting. >> >> I don’t know if the header capture is messing with it somehow. >> >> Google.cl negotiated TB with Edge. >> >> John B. >> >> > On Feb 15, 2017, at 6:12 PM, =JeffH <Jeff.Hodges@KingsMountain.com> >> wrote: >> > >> > fyi/fwiw... >> > >> > target: https://www.chromium.org/ >> > >> > sec-token-binding:AIkAAgBBQMaFRvLPy1uUBZer64ZluK8oBJ8kpcnO84 >> kmCX29demwilh57_4gqlqRLBcZ_dh8x9KdN6TQQZWciZlGmhZp3sUAQFWhQB >> mwYSLGqlQ59KCOsYpn7Ex1dB_L5bAUTdEjd98Y5CY7NY6aczxi2gC7I6xEMA >> C4tONGdNOjoALTLt72REUAAA >> > >> > I used the built-in chrome developer tools to examine the request >> headers and obtain the above STB >> > >> > >> > [ innarestingly enuff, if one targets https://www.google.com/, it >> seems developer tools only displays the below... >> > >> > Provisional headers are shown >> > Referer:https://www.google.com/ >> > User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) >> AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 >> > ] >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > _______________________________________________ >> > Unbearable mailing list >> > Unbearable@ietf.org >> > https://www.ietf.org/mailman/listinfo/unbearable >> >> >> _______________________________________________ >> Unbearable mailing list >> Unbearable@ietf.org >> https://www.ietf.org/mailman/listinfo/unbearable >> >> > >
- [Unbearable] sec-token-binding header in the wild =JeffH
- Re: [Unbearable] sec-token-binding header in the … John Bradley
- Re: [Unbearable] sec-token-binding header in the … Nick Harper
- Re: [Unbearable] sec-token-binding header in the … John Bradley
- Re: [Unbearable] sec-token-binding header in the … Nick Harper
- Re: [Unbearable] sec-token-binding header in the … John Bradley
- Re: [Unbearable] sec-token-binding header in the … Nick Harper
- Re: [Unbearable] sec-token-binding header in the … =JeffH