IETF Logo Mail Archive

Re: [Unbearable] HTTPS Token Binding with TLS Terminating Reverse Proxies

Piotr Sikora <piotrsikora@google.com> Mon, 17 July 2017 11:18 UTC

Return-Path: <piotrsikora@google.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F983131461 for <unbearable@ietfa.amsl.com>; Mon, 17 Jul 2017 04:18:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qVVAXjN4sMEL for <unbearable@ietfa.amsl.com>; Mon, 17 Jul 2017 04:18:04 -0700 (PDT)
Received: from mail-ua0-x229.google.com (mail-ua0-x229.google.com [IPv6:2607:f8b0:400c:c08::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F267127599 for <unbearable@ietf.org>; Mon, 17 Jul 2017 04:18:04 -0700 (PDT)
Received: by mail-ua0-x229.google.com with SMTP id 35so43709667uax.3 for <unbearable@ietf.org>; Mon, 17 Jul 2017 04:18:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=N6HS/DDv4QtNV+BUgdfvfwYzMBdCDOzobYMczCczigc=; b=HkE6eTGvchQl0UBkg4XPZbS8bAGbBEIykeRUhxA68/oDUBCtXal2eOWxuEjy+h4IFp zyxYfyPQlttu9b91o+8B9gGh4M7KgZz+hWVauPjrxfoAIpbQCxXuVf1WNUPNda7p5HfW 9olBKVHz0kBmvXx7oAHFDSIwLhFopZWCpJ9fxeUb4Rt1jWUlSI90rLMM4jfqyyMKrn27 zM2Z4ri8NRPXGe8bJ3s8cHU8w50Uw6wtlwBzRSXQ0J/rh/Zb1+NR1i87wDcG69JHWveN 8IjruofN/pBHqyaZHDD41MwF7KrZEjehra7KudnSvTJTriM3klhRJIYZMUaxBgcHBLcn aAiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=N6HS/DDv4QtNV+BUgdfvfwYzMBdCDOzobYMczCczigc=; b=jQCfIHYX7765oDUi5VRhjORu2S30pyLEmN3W5+lIRfEAGwcDG2FLjo4Ki7qMvBp+7g 9voSkZ2wp9m4Leenr+GMdChlEkSPSmqrTX/IgNoPbntLmb5S1S9zZom81ipcwdERQQ97 cXlI447SGC7g9sFHVmAKV1FcCBZP5V8pCCb8AiXQq6rDKarlGsSSsAT1+l86HJjo/bqz x7baUX0lAvNiFxPbnbt/To+/jHlvTgvzuP2vd5+mAxTtzIVmC/v92HpIF/MKsiwvMAlG aN+G07Uf9aZ4ou7bFRCSchSHhCreO5FvN+2E+fqUGxM1K2LUjwSi2xAKLjzpDWRNKj0N 4rMA==
X-Gm-Message-State: AIVw111EpemreAMO0WM+3cZejU/6qAOk77iafAWlafyragvHvSPDWnMM YBZddSIF4Y647NldN/6dcU+JFRIml8uNNedCfQ==
X-Received: by 10.159.50.137 with SMTP id l9mr10471110uab.89.1500290283444; Mon, 17 Jul 2017 04:18:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.176.67 with HTTP; Mon, 17 Jul 2017 04:18:02 -0700 (PDT)
In-Reply-To: <CA+k3eCTPv-90jkig2zfT-bXAxh-p4-tbZOn6Dfzn80G7m5UCYw@mail.gmail.com>
References: <CA+k3eCTV7Lpn5j-7agVQ_q9iHhx397WdNf6Ys8fwZD+RJgGMzg@mail.gmail.com> <CAF-CG+LLji-peqisnw4MfFPe6dWqYOGEYnOK_7jhPyonVUct6g@mail.gmail.com> <CA+k3eCTPv-90jkig2zfT-bXAxh-p4-tbZOn6Dfzn80G7m5UCYw@mail.gmail.com>
From: Piotr Sikora <piotrsikora@google.com>
Date: Mon, 17 Jul 2017 13:18:02 +0200
Message-ID: <CAF-CG+JOZCsgxdKH+c6GCMuuh_kDL30chvLHxZQ1+UJPJ1Zxew@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/xukBNqt9XZhn10EjLJu7v-yZ-Qs>
Subject: Re: [Unbearable] HTTPS Token Binding with TLS Terminating Reverse Proxies
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 11:18:06 -0000

Hey Brian,
from the CDN point of view, all backend servers are untrusted, but I
don't see any reason why CDNs shouldn't forward
Provided-Token-Binding-ID to the origin servers.

Also, Token Binding is supposed to protect Cookies (among other
things), which don't have such restriction, so this seems unnecessary.

Best regards,
Piotr Sikora

On Mon, Jul 17, 2017 at 12:53 PM, Brian Campbell
<bcampbell@pingidentity.com> wrote:
> To be honest, I didn't have a specific attack vector or security/privacy
> implication in mind around that. It just seemed like something that should
> generally be part of reverse proxy set up. Do you think it's too
> restrictive/perspective? Or do you know of some use-case where a reverse
> proxy wouldn't know/trust the servers that it sits in front of?
>
> On Mon, Jul 17, 2017 at 12:37 PM, Piotr Sikora <piotrsikora@google.com>
> wrote:
>>
>> Hey Brian,
>> looks good, thanks for working on that!
>>
>> One question:
>>
>> >   Reverse proxies SHOULD only add the headers to requests that are
>> >   forwarded to trusted backend servers.
>>
>> Why? What's the attack vector, security and/or privacy implications here?
>>
>> Best regards,
>> Piotr Sikora
>>
>> On Fri, Jul 14, 2017 at 6:59 PM, Brian Campbell
>> <bcampbell@pingidentity.com> wrote:
>> > Just a not-so-subtle reminder that HTTPS Token Binding with TLS
>> > Terminating
>> > Reverse Proxies is one of the agenda items for Monday's meeting in
>> > Prague
>> > and it would be great if there was some familiarity with it going into
>> > the
>> > meeting. It's relativity short as drafts go, if you're looking for
>> > something
>> > to read en route to the meeting:
>> > https://tools.ietf.org/html/draft-campbell-tokbind-ttrp-00
>> >
>> > CONFIDENTIALITY NOTICE: This email may contain confidential and
>> > privileged
>> > material for the sole use of the intended recipient(s). Any review, use,
>> > distribution or disclosure by others is strictly prohibited.  If you
>> > have
>> > received this communication in error, please notify the sender
>> > immediately
>> > by e-mail and delete the message and any file attachments from your
>> > computer. Thank you.
>> > _______________________________________________
>> > Unbearable mailing list
>> > Unbearable@ietf.org
>> > https://www.ietf.org/mailman/listinfo/unbearable
>> >
>
>
>
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
> material for the sole use of the intended recipient(s). Any review, use,
> distribution or disclosure by others is strictly prohibited.  If you have
> received this communication in error, please notify the sender immediately
> by e-mail and delete the message and any file attachments from your
> computer. Thank you.

v2.23.0 | Report a Bug | By Email