Re: [Unbearable] sec-token-binding header in the wild
Nick Harper <nharper@google.com> Wed, 15 February 2017 23:37 UTC
Return-Path: <nharper@google.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6CD3129959 for <unbearable@ietfa.amsl.com>; Wed, 15 Feb 2017 15:37:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wu9G68nuAqcB for <unbearable@ietfa.amsl.com>; Wed, 15 Feb 2017 15:37:06 -0800 (PST)
Received: from mail-yb0-x22a.google.com (mail-yb0-x22a.google.com [IPv6:2607:f8b0:4002:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F17F3129860 for <unbearable@ietf.org>; Wed, 15 Feb 2017 15:37:05 -0800 (PST)
Received: by mail-yb0-x22a.google.com with SMTP id w194so437029ybe.0 for <unbearable@ietf.org>; Wed, 15 Feb 2017 15:37:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rQpkx0t5fG6GzjlWrfZacImcclQUAyExS7C7z8dFjwc=; b=LM5pWSwyRcuIC4VCa2+eTAR8g/59iVcwRXjWpTwE7jArShjYEJbQkK21TkXMomr2nd subL8WLZ1l1WlP+OIqUssoIilJgd3NzlIvZnumCNa/Sxq9nIX/2Ns9+myXxYAnTPol13 4+XEkxxLbB4gwVSrOS5G5PT69q0iek/wUBKs04sS1LqCEYAL6IkX5GLqzof6cziq+73R wEHDFzb9usXLYZOAHhPP4sKBre7ncrXuJ4jb6fgj1VidiBko+q6/RGnwu58Y4n2FsX5J lZy9rhmzplRcna0pktWmi52Pxgx1aa73m4k3XCcWSERqwRfLOsfWD3P3ZfkbBq2y0tmw J2Sw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rQpkx0t5fG6GzjlWrfZacImcclQUAyExS7C7z8dFjwc=; b=Yv/1+lsMpBFvGNa6DuKIqCB1SHAHCm1UtBLCMAVNrdHSSJrhTw3kUkDWcS7Ed7bf/s fjkMfUyYPzipXczUl+vCdnc5C4/LPxDFRXDR8gYTKIOERC4grw7FbHLvEX0jaLTNZAOz LnMkheAf7mPtcfrvggCSqSuA0v+4L+/9vbIURiOHnOnX8wDr/HdTh9kP4ztML10H4pSq LRoJfVyf3P//0v1BU3NwEys8oM3Uaqzhu/7K5IQlA4iB1X8FLFgR7+YHy6jRWNHla/MB lzuwzOVlVuPVW6erehHn31hW0SQAYeZhSPqbtqLF/72KqxSuPZ7qnKYCC52n4QzlKb4y 0F7g==
X-Gm-Message-State: AMke39mZOWCbYQVrg18HeldsCwr+rely9I5GMeb1B39/FZvlsdzqJydgq+iPWRwaXgEXCB2ea3tGQy44T/aabiPW
X-Received: by 10.37.51.215 with SMTP id z206mr27628679ybz.88.1487201825010; Wed, 15 Feb 2017 15:37:05 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.161.87 with HTTP; Wed, 15 Feb 2017 15:36:44 -0800 (PST)
In-Reply-To: <06A6B2F5-9026-4B30-A099-EB3B8F8AEFB4@ve7jtb.com>
References: <0d90fcf0-0ec7-448c-d0ad-0385062400b9@KingsMountain.com> <06A6B2F5-9026-4B30-A099-EB3B8F8AEFB4@ve7jtb.com>
From: Nick Harper <nharper@google.com>
Date: Wed, 15 Feb 2017 15:36:44 -0800
Message-ID: <CACdeXi+3dnOcnWffc3wP2WMs3VhWGcmvG2StXKM1JZ8bMVebgQ@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="001a1148a1187d7b7c05489a28cd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/vYhCrtRetCVgdVGWpyAyjqXPBSM>
Cc: IETF TokBind WG <unbearable@ietf.org>, =JeffH Hodges <Jeff.Hodges@kingsmountain.com>
Subject: Re: [Unbearable] sec-token-binding header in the wild
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Feb 2017 23:37:07 -0000
I see the sec-token-binding header for both www.google.com and www.chromium.org from chrome on os x (version 56.0.2924.87). On Wed, Feb 15, 2017 at 3:29 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > Strange I see them on both sites with Edge. > > With chrome on osx and windows I am not seeing them after turning on the > flag and restarting. > > I don’t know if the header capture is messing with it somehow. > > Google.cl negotiated TB with Edge. > > John B. > > > On Feb 15, 2017, at 6:12 PM, =JeffH <Jeff.Hodges@KingsMountain.com> > wrote: > > > > fyi/fwiw... > > > > target: https://www.chromium.org/ > > > > sec-token-binding:AIkAAgBBQMaFRvLPy1uUBZer64ZluK > 8oBJ8kpcnO84kmCX29demwilh57_4gqlqRLBcZ_dh8x9KdN6TQQZWciZlGmhZp3sUAQFW > hQBmwYSLGqlQ59KCOsYpn7Ex1dB_L5bAUTdEjd98Y5CY7NY6aczxi2gC7I > 6xEMAC4tONGdNOjoALTLt72REUAAA > > > > I used the built-in chrome developer tools to examine the request > headers and obtain the above STB > > > > > > [ innarestingly enuff, if one targets https://www.google.com/, it seems > developer tools only displays the below... > > > > Provisional headers are shown > > Referer:https://www.google.com/ > > User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) > AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 > > ] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > Unbearable mailing list > > Unbearable@ietf.org > > https://www.ietf.org/mailman/listinfo/unbearable > > > _______________________________________________ > Unbearable mailing list > Unbearable@ietf.org > https://www.ietf.org/mailman/listinfo/unbearable > >
- [Unbearable] sec-token-binding header in the wild =JeffH
- Re: [Unbearable] sec-token-binding header in the … John Bradley
- Re: [Unbearable] sec-token-binding header in the … Nick Harper
- Re: [Unbearable] sec-token-binding header in the … John Bradley
- Re: [Unbearable] sec-token-binding header in the … Nick Harper
- Re: [Unbearable] sec-token-binding header in the … John Bradley
- Re: [Unbearable] sec-token-binding header in the … Nick Harper
- Re: [Unbearable] sec-token-binding header in the … =JeffH