Re: [Webpush] ietf-webpush-encryption - untrusted push services

Martin Thomson <> Tue, 03 November 2015 01:21 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7F2501ACDF5 for <>; Mon, 2 Nov 2015 17:21:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id t1sKnX3d1tN2 for <>; Mon, 2 Nov 2015 17:21:55 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 89EAE1ACDB6 for <>; Mon, 2 Nov 2015 17:21:55 -0800 (PST)
Received: by ykft191 with SMTP id t191so2019752ykf.0 for <>; Mon, 02 Nov 2015 17:21:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=PKKI56ViIC0MOZtpSHa8GFSA8wyT7p/6XCCCmQGRz6Y=; b=ZkMckXOKk+kYDE7TdAy63ouA1+6z85nEcc+Z+t2VzSPeCIwBZrzOT85bCZm6890uVm sRbYI6rdIg+FOy44HmWmsHjDAWDaK7G3WWMT0+G4JLGHzDmHZmqoESMtsgSUBWhgMPAc ZV8zID4QuNrF3W7stnmp6ftoIRDt/+gmD+kcA7iwrfkYVfKuZerBFS2NwxE6DRm557Oy 5toqx7Orm/Qnpric9KIzXsegdLHfjDRzmLJqbR2OZd0dUUZK+wc2AovNIzKKvYWSEaCz hirYDlck+OPKawiNQPRjkv2u/Pw8/tSq3jw78D44E5xwOI6LVvmjD7f6ufzCaXeWXzek fGxQ==
MIME-Version: 1.0
X-Received: by with SMTP id t1mr14284550ywf.207.1446513714892; Mon, 02 Nov 2015 17:21:54 -0800 (PST)
Received: by with HTTP; Mon, 2 Nov 2015 17:21:54 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Tue, 3 Nov 2015 10:21:54 +0900
Message-ID: <>
From: Martin Thomson <>
To: Peter Beverloo <>
Content-Type: text/plain; charset=UTF-8
Archived-At: <>
Cc: "" <>
Subject: Re: [Webpush] ietf-webpush-encryption - untrusted push services
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of potential IETF work on a web push protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 03 Nov 2015 01:21:59 -0000

On 2 November 2015 at 16:12, Peter Beverloo <> wrote:
> We don't trust the intermediary. What if they are the attacker?

I agree, this is the most interesting attack.  Requiring https:// as
we do removes most opportunities for all other attackers.

>     (1) There's a possibility of contributory behaviour with other DH
> groups.

I've done my reading on this now and realize that this is (probably) a
bit of a minefield.

...and for the opposing view:

The curve25519 draft doesn't reflect any of this nuance, which I find
interesting. I haven't followed the CFRG discussion, but I did find
this thread:

The concern here is that this protocol depends on contributory
behaviour.  That's a valid concern.  At a minimum, we should consider
having some considerations on this.

A perhaps better approach would be to change the key derivation to
remove the dependency on contributory behaviour.  I need to think
about that a little.  This is a subject that needs to be addressed in
the http working group soon.

> Since P-256 is a prime-ordered group this doesn't apply today, but it would
> be a subtle issue if we were to change curves.

Yes, 25519.

>     (2) The client is vulnerable to DoS attacks.

If the push service is the attacker, then they have much better DoS
options available than what you describe, especially for a
battery-powered device.