IETF Logo Mail Archive

Re: [Uta] Comments on STS Strict Transport Security

Daniel Margolis <dmargolis@google.com> Tue, 22 March 2016 11:46 UTC

Return-Path: <dmargolis@google.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F1CA12D1C9 for <uta@ietfa.amsl.com>; Tue, 22 Mar 2016 04:46:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9p51nsXbgKEM for <uta@ietfa.amsl.com>; Tue, 22 Mar 2016 04:46:41 -0700 (PDT)
Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D75912D1D3 for <uta@ietf.org>; Tue, 22 Mar 2016 04:46:41 -0700 (PDT)
Received: by mail-ig0-x231.google.com with SMTP id ig19so103764212igb.0 for <uta@ietf.org>; Tue, 22 Mar 2016 04:46:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=NW882D0Sj8FZNbsE1cBLFBftZ3qdxgULcD+DC9/c4g0=; b=AEcbuES4NWXSxgLVTCktv6+7+vjKKyla/ItjCrh30wbsRUQQa9M9R+CrsH/VgyVE1u YEyAZb2Tq3+fM//ijFTY/m+toRsIRU3E2GhBNWafsgql5Amb3qV+MkVotDRw5A4UFnQm p1j1E8zwAUAdJCPbc+GR7EcewXMJbXubKxKqtLgjc+xTYAimqaAH/m8S6zsrDTipp3oh AOyuF62Z55Ecv52yXoHw41YspGGg7EtHJdjnXqlCxH/CqTB1QzXVJNqCJJVXOffzwDYy XksnH8Fda4nciiiIwn1+onvjvHQWcgKUBAVxod2IYBfDMlqq8wYlVMPeiJY2fDFERXHg XAbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=NW882D0Sj8FZNbsE1cBLFBftZ3qdxgULcD+DC9/c4g0=; b=AJJX3Ez/omo47w5lJcJy8w2LmU8HSxQZ/h3+X9Nah+A+jsFRxz2EZ5jSBnwjQBe2v7 VFazXbPIyNvmnWAjzc/AIubvdKpHnRm/g+O4lUReY47/DdIplQOqMYfrrbQJZh/zZZ/o C8H3pViuM6BMPMsC4PkXUWCsUYGxQA5wLoSV3m4D/10WIDYxfCmpSYYJ3TWxkRxSQcCV m2rB7Py4QNNapKCVORK/ZwQ951mIFGfk13LpG3xFqWMJNNlLom8HDB7MFLDp9J8L6DbM NSybwEcM77oADbuPW+/pGR2s9pR6hLOWmb567F3NFnL8nNOCUvcpgGDLEwwT8VTqtcw/ af2Q==
X-Gm-Message-State: AD7BkJL9M0z5R1Ca2sw97u9gIO25kqi1Ei19y7oJxXbHXKF7I8e06ELuaRB0JRlxMXyCBroBzkNO0xODdXaU9d5G
MIME-Version: 1.0
X-Received: by 10.50.79.135 with SMTP id j7mr18109839igx.84.1458647200438; Tue, 22 Mar 2016 04:46:40 -0700 (PDT)
Received: by 10.64.251.136 with HTTP; Tue, 22 Mar 2016 04:46:40 -0700 (PDT)
In-Reply-To: <656BD8D0-E792-4DC5-9BF1-C60DA0B9476E@noware.co.uk>
References: <4ED52982-CB5A-434F-A9F5-ED652486436D@noware.co.uk> <CANtKdUfLEqc-Mf76U0eZ82pMmLMsYqANPyK9Jh2MsEpZr+E96w@mail.gmail.com> <656BD8D0-E792-4DC5-9BF1-C60DA0B9476E@noware.co.uk>
Date: Tue, 22 Mar 2016 12:46:40 +0100
Message-ID: <CANtKdUcRgmmjk+YEbXG=MfW79mt4t6h6V0bLzaNcZDyWvBmbZg@mail.gmail.com>
From: Daniel Margolis <dmargolis@google.com>
To: Neil Cook <neil.cook@noware.co.uk>
Content-Type: multipart/alternative; boundary="089e0122a7543c94cf052ea1c4b1"
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/Gp3ARdFF58OrFsLWAHPZaiCyeSE>
Cc: uta@ietf.org
Subject: Re: [Uta] Comments on STS Strict Transport Security
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2016 11:46:44 -0000

Right. to=true is what we mean by "reject." We should probably clarify
this. (As you can imagine, there have been a lot of revisions to the
syntax, so, you know, my apologies for old terminology that was not updated
adequately and so forth! A fresh set of eyes really helps here.)

We should be explicit that reports can be sent even when "to" is "true." I
will add this to my to-do list. ;)

Thanks again.

On Tue, Mar 22, 2016 at 11:56 AM, Neil Cook <neil.cook@noware.co.uk> wrote:

> Thanks for the clarification on step 4.
>
> However I’m still confused by the language "Enforced: In this mode,
> sending MTAs SHOULD treat STS policy failures, in which the policy action
> is “reject”"
>
> I may be missing something obvious, but I don’t see any way to specify a
> policy action of “reject” in the draft. The only thing I see is the “to”
> field, which I guess implicitly sets the policy action to “reject” if it is
> set to “true". If so, then the draft language should just refer to the “to”
> field being true rather than refer to a policy action of “reject”.
>
> Also, “to: TLS-Only (plain-text, required).  If "true," the receiving MTA
>       requests that messages be delivered only if they conform to the
>       STS policy.  If "false," the receiving MTA requests that failure
>       reports be delivered, as specified by the "rua" parameter."
>
> Although the above doesn’t explicitly state it, I presume reports can be
> sent even when “to” is set to “true”? If so the draft should be explicit
> about this. If not, why not?
>
> Neil
>
> On 22 Mar 2016, at 11:24, Daniel Margolis <dmargolis@google.com> wrote:
>
> Heh, thanks for the feedback.
>
> I will try to make sure we used consistent language. In specifics, my
> intended meanings:
>
> * authentication: determining that the policy is published by the domain
> owner (either because it was delivered over DNSSEC or because it was
> delivered over HTTPS with a trusted cert)
> * validation: on a given mail delivery attempt, determining that the MX is
> the "right" MX (i.e. that its identity and certificate match what the
> authenticated policy specifies)
> * application: determining what to do when a policy validates or does not
> validate (the latter of course being the interesting case)
>
> "Application" is more than just "validation" for two reasons. First,
> because a policy might be "report only" and thus a failure to validate does
> not result in a delivery failure. Second, because of this slightly
> complicated dance to get the latest policy in the case of a failure.
>
> The central idea here is that if a policy fails to validate on a given
> delivery attempt, the sender should try to get a new *authenticated* policy
> to ensure it's using the most up-to-date revision. This allows recipients
> to set a long expiration on the policy without chaining themselves to their
> current MX records, provider, etc. So this answers your question of when
> senders will see the new policy: they will refresh the policy if the old
> policy is no longer valid.
>
> An attacker who can present a valid policy (by e.g. controlling both DNS
> and a valid CA-signed cert for the recipient domain) can typically do a lot
> of other nasty things as well, like MITM client connections to the IMAP or
> webmail server, so we consider this attack out of scope for now (though
> potentially a good application of public key pinning, CT, or similar).
>
> In the section you quote from 3.3, I think that should refer to
> "authentication", not "validation." :)
>
> Dan
>
> On Tue, Mar 22, 2016 at 10:12 AM, Neil Cook <neil.cook@noware.co.uk>
> wrote:
>
>> Some feedback on this draft:
>>
>> 1) The language around policy authentication vs validation vs application
>> is very confusing to me. The terms “authentication” and “validation” seem
>> to be used in a variety of contexts with different meanings.
>>
>> For example in "3.3.  Policy Authentication"
>>
>>    The security of a domain implementing an SMTP STS policy against an
>>    active man-in-the-middle depends primarily upon the long-lived
>>    caching of policies.  However, to allow recipient domains to safely
>>    serve new policies _prior_ to the expiration of a cached policy, and
>>    to prevent long-term (either malicious or active) denials of service,
>>    it is important that senders are able to validate a new policy
>>    retrieved for a recipient domain.  There are two supported mechanisms
>>    for policy validation:
>>
>> So the draft talks about authentication, and then immediately starts
>> talking about being able  to “validate” new policies. I think this should
>> be “authenticate”.
>>
>>    When fetching a new policy when one is not already known, or when
>>    fetching a policy for a domain with an expired policy,
>>    unauthenticated policies MUST be trusted and honoured.
>>
>> Back to the use of “unauthenticated” here. Even though authentication
>> hasn’t really been defined yet, or least distinguished from validation.
>>
>> When fetching  a policy and authenticating it, as described in detail in
>> _Policy_
>>    _Application_, policies will be authenticated using the mechanism
>>    specified by the existing cached policy.
>>
>> And here.
>>
>>    Note, however, as described in detail in _Policy_ _Application_, that
>>    new policies MUST NOT be considered as valid if they do not validate
>>    on first application.  That is, a freshly fetched (and unused) policy
>>    that has not successfully been applied MUST be disregarded.
>>
>> Here validation seems be being used as meaning “parsing and applying
>> successfully”.
>>
>> Also, it’s confusing to me that this paragraph talk about policy
>> validation, but instead refers the reader to the “Policy Application”
>> section, rather than the “Policy Validation” section.
>>
>> I think the terms should be used as follows (and please correct me if I’m
>> misunderstanding the draft):
>>
>> - “authentication” refers to the concept of “trusting” that a retrieved
>> policy is the policy actually intended by the remote domain and not a
>> malicious policy inserted through DNS spoofing or whatever, and should be
>> used in the this context. Since STS is ‘trust-on-first-use’, this means
>> that authentication is normally a no-op, except in the case of retrieving a
>> new policy when a cached policy is already in operation.
>> I’d like to see the section on Policy Authentication reworded so that
>> this is clearer, by moving the language "When fetching a new policy when
>> one is not already known…” to the start of this section, and stating that
>> such policies are thus implicitly authenticated. Explicit authentication
>> happens when a new policy is retrieved and authenticated according to the
>> two mechanisms shown in “Policy Authentication”, based on the “a" field
>> from the already cached policy.
>>
>> - The section “Policy Validation” actually refers to certificate
>> validation, based on the “c” field in the cache policy. This seems to be
>> different to policy validation to me, which should mean a well-formed and
>> parseable policy. The section “Policy Validation” actually seems to me to
>> just be the first step in policy “application”.
>>
>> - “application” should refer to the process of applying an authenticated
>> and valid policy.
>>
>> 2) The logic as to when to use the “authentication” mechanism as
>> described by the “a” field seems strange to me. The draft states that
>> policies should be cached until the expiration time (which is implicitly
>> the longer of the TTL and the “e” field). It also states that the only time
>> the authentication method specified in the “a” field should be used is when
>> the applied policy is invalid and the policy specifies rejection (step 4 of
>> Policy Application).
>> The draft also states:
>>    With these two mechanisms and the procedure specified in step 4,
>>    recipients who publish a policy have, in effect, a means of updating
>>    a cached policy at arbitrary intervals
>>
>> I don’t get this, because it seems to me that if a domain with a valid
>> policy wishes to change their policy *before* the end of the expiration
>> period, then nobody will see that new policy until *after* the expiration
>> period because sending MTAs will cache the policy until after the
>> expiration period, and should never invoke step 4 because they shouldn’t
>> see a validation failure and/or reject action. This doesn’t seem consistent
>> with “updating a cache policy at arbitrary intervals”?
>>
>> "Understanding the details of step 4 is critical to understanding the
>> behaviour of the system as a whole.”
>>
>> I have to say I don’t understand step 4 at all, so maybe someone can
>> explain it to me? :) The whole authentication system seems designed for a
>> tiny use-case, i.e. validation failure and reject action. If this is
>> designed to stop malicious behaviour, why only concentrate on
>> non-validating policies, surely there are use-cases where an attacker has
>> spoofed the recipient DNS records (cache poisoning etc.) and thus has
>> control over both the DNS STS record and the DNS record for the HTTPS
>> server, and thus could present a valid policy?
>>
>> Neil
>>
>>
>>
>>
>> _______________________________________________
>> Uta mailing list
>> Uta@ietf.org
>> https://www.ietf.org/mailman/listinfo/uta
>>
>>
> _______________________________________________
> Uta mailing list
> Uta@ietf.org
> https://www.ietf.org/mailman/listinfo/uta
>
>
>

v2.23.0 | Report a Bug | By Email