[Uta] Dealing with STARTTLS Stripping
Aaron Zauner <azet@azet.org> Tue, 21 July 2015 20:37 UTC
Return-Path: <azet@azet.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 671771B301C for <uta@ietfa.amsl.com>; Tue, 21 Jul 2015 13:37:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0cxOXH-KpzNp for <uta@ietfa.amsl.com>; Tue, 21 Jul 2015 13:37:49 -0700 (PDT)
Received: from mail-wi0-f176.google.com (mail-wi0-f176.google.com [209.85.212.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC5BD1B3015 for <uta@ietf.org>; Tue, 21 Jul 2015 13:37:48 -0700 (PDT)
Received: by wicmv11 with SMTP id mv11so54824270wic.0 for <uta@ietf.org>; Tue, 21 Jul 2015 13:37:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-type; bh=tl/nljRaC7r4kbDzjmVlKZj/jVVWUi326hMxjOsaMrw=; b=G4Rj7Zvzf0xC1iEKLUEoQWrP/Pfkya3ihJYvQn0RXys7aqvjlev1dM1AivnfxUw8fM uA2DHVn2fv0tXdO5vVqASIxMNbyK8MF2UtsURTaa6TjCVfvDNZJyIKVPOGaeIdnZA3tL 1dfM9MGKCQzomGdm1SYLzGvlZXy8teHJyQ1dv/D3wPQRvb+bmpl1gkwlwjjgH73hee8J VOyzZk92QXK1flqnCIWrdukuxAJGf6YBZVC+4yU/3UdjC4uj4vXUm5gjfKPTbXpLUqps zgPMrgu1BwxpR4z/oUsdmCP2FxbW1Xi3X2s54VrtX2iyCwmAQ4bfCpdZJNAqduo+7sI/ qE8w==
X-Gm-Message-State: ALoCoQnRdhYjrJGZ6wcYbNXmS3kMufaOOJD8LQ+p2yGFUrhFmsTm2lqZdTZR2yvDJx6HojopSIFg
X-Received: by 10.194.246.105 with SMTP id xv9mr71304817wjc.135.1437511067524; Tue, 21 Jul 2015 13:37:47 -0700 (PDT)
Received: from [200.200.100.37] ([194.228.129.228]) by smtp.gmail.com with ESMTPSA id r6sm18511676wiy.13.2015.07.21.13.37.45 for <uta@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 21 Jul 2015 13:37:46 -0700 (PDT)
Message-ID: <55AEAD88.2090601@azet.org>
Date: Tue, 21 Jul 2015 22:37:28 +0200
From: Aaron Zauner <azet@azet.org>
User-Agent: Postbox 3.0.11 (Macintosh/20140602)
MIME-Version: 1.0
To: "uta@ietf.org" <uta@ietf.org>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enig28F1A5A90F222372AB6B70C0"
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/nB5Vf_8BRhYR54fNrYn4CeNVh0o>
Subject: [Uta] Dealing with STARTTLS Stripping
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2015 20:37:50 -0000
Hi, During the UTA meeting pinning/HSTS for STARTTLS protocols came up again. I think it's important to discuss how to mitigate active attacks on these protocols. I, too, think this should be separate from the current DEEP draft. I don't believe this should be done via DNS. Just an idea (might not be the most favorable/elegant approach) for e.g. SMTP: SMTP servers could announce an extension 'NOSTRIP'. Where NOSTRIP offers a structure similar to HSTS/HPKP [0][1] which clients cache locally. Instead of re-inventing the wheel for key-pinning specific to STARTTLS protocols we could require use of TLS TACKs instead [2]. In the case of an established plaintext connection the connection must be upgraded via STARTTLS immediately - a valid certificate for the service presented and NOSTRIP information re-queried by the client and thus re-sent by the server. I.e. an attacker could inject NOSTRIP but that would only result in permanent protocol-upgrade or connection failure. What do you guys think? Aaron [0] https://tools.ietf.org/html/rfc6797 [1] https://tools.ietf.org/html/rfc7469 [2] https://datatracker.ietf.org/doc/draft-perrin-tls-tack/
- [Uta] Dealing with STARTTLS Stripping Aaron Zauner
- Re: [Uta] Dealing with STARTTLS Stripping Aaron Zauner
- Re: [Uta] Dealing with STARTTLS Stripping Brotman, Alexander
- Re: [Uta] Dealing with STARTTLS Stripping Aaron Zauner
- Re: [Uta] Dealing with STARTTLS Stripping Viktor Dukhovni
- Re: [Uta] Dealing with STARTTLS Stripping Aaron Zauner
- Re: [Uta] Dealing with STARTTLS Stripping Viktor Dukhovni
- Re: [Uta] Dealing with STARTTLS Stripping Aaron Zauner
- Re: [Uta] Dealing with STARTTLS Stripping Viktor Dukhovni
- Re: [Uta] Dealing with STARTTLS Stripping Aaron Zauner
- Re: [Uta] Dealing with STARTTLS Stripping Brotman, Alexander
- Re: [Uta] Dealing with STARTTLS Stripping Michael Ströder