IETF Logo Mail Archive

Re: [websec] HPKP and preloaded pin lists

Yoav Nir <ynir@checkpoint.com> Sun, 23 June 2013 06:19 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E185321E80A6 for <websec@ietfa.amsl.com>; Sat, 22 Jun 2013 23:19:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.607
X-Spam-Level:
X-Spam-Status: No, score=-10.607 tagged_above=-999 required=5 tests=[AWL=-0.009, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JdxlDS9Wzy3A for <websec@ietfa.amsl.com>; Sat, 22 Jun 2013 23:19:16 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id C473321E8098 for <websec@ietf.org>; Sat, 22 Jun 2013 23:19:15 -0700 (PDT)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r5N6IxZi003872; Sun, 23 Jun 2013 09:19:13 +0300
X-CheckPoint: {51C69353-0-1B221DC2-1FFFF}
Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.48]) by IL-EX10.ad.checkpoint.com ([169.254.2.180]) with mapi id 14.02.0342.003; Sun, 23 Jun 2013 09:19:06 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Trevor Perrin <trevp@trevp.net>
Thread-Topic: [websec] HPKP and preloaded pin lists
Thread-Index: AQHObfqEiA/KHYgBZ06jXAOOxwUP7plCpOmA
Date: Sun, 23 Jun 2013 06:19:06 +0000
Message-ID: <07A8CBC1-D1D7-4C08-A53C-245D60D251F3@checkpoint.com>
References: <CAGZ8ZG1iyKVB4y7V_1VxThXJWv5BD2Sy0S8dvqzVU=6Tj1sdSg@mail.gmail.com>
In-Reply-To: <CAGZ8ZG1iyKVB4y7V_1VxThXJWv5BD2Sy0S8dvqzVU=6Tj1sdSg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.20.74]
x-kse-antivirus-interceptor-info: protection disabled
x-cpdlp: 1174cb14e16761ce7f755737e6ffef1c40715bbf32
Content-Type: multipart/alternative; boundary="_000_07A8CBC1D1D74C08A53C245D60D251F3checkpointcom_"
MIME-Version: 1.0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] HPKP and preloaded pin lists
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Jun 2013 06:19:24 -0000

I think remembering the nullified and expired pins for max-max-age adds complexity. It's fine to do, but we shouldn't require it.

A website that issues a bad pin for 30 days has to live with the consequences of that pin for all of those 30 days. Getting a pre-loaded pin list could save you and unpin a particular client, but that can turn on you and bite you and pin a client that had not been pinned before. I think that on balance it is still better to get the pins from a crawler. Maybe the crawlers should have some web interface that allows someone (the website administrator in this case) to request that a particular server be scanned (much like SSL-pulse has)

So knowing that there is a chance for both good and bad interactions with pre-loaded pins, and that the damage is anyway limited by max-max-age, I think we should leave it to implementations rather than add mandates.

Yoav (with no hats)

On Jun 21, 2013, at 12:09 AM, Trevor Perrin <trevp@trevp.net<mailto:trevp@trevp.net>> wrote:


Hi,

I'm not sure I understand section 2.7 on "Interactions With Preloaded Pin Lists".

At first glance it seems clear:  Both preloaded and dynamic pins MUST store the "Effective Pin Date" when the pin was most recently observed, and browsers MUST use only the most recent information.  E.g.:

T10 - Crawler notes a pin for "example.com<http://example.com/>"
T15 - Browser notes a different pin for "example.com<http://example.com/>"
T20 - Crawler sends preloaded pin to Browser

In this case, the browser MUST ignore the preloaded pin, and only apply the pin it noted at T15.

But what if the browser-noted pin has a max-age of 0 or 1?  Or what if the T15 connection occurs over a secure transport but has no PKP header?  The spec says:

"If the result of noting a Valid Pinning Header is to disable pinning for the host, such as through supplying a max-age directive with a value of 0, UAs MUST allow this new information to override any other pinning data.  That is, a host must be able to un-pin itself, even in the presence of built-in pins."

That seems to imply the browser needs to remember "un-pinning" responses it receives (i.e. max-age=0 or no PKP header), and expired pins, on the chance that any of these might "un-pin" a preloaded pin it receives later?


That seems fairly complicated, and rather inflexible (I could imagine a browser might trust its preload data more than dynamic data, and prefer that take precedence).

So what if browsers were simply allowed to apply *either* the preload or dynamic pin, or both?

The browser could choose to apply a complex, time-based algorithm like above, or do something simpler like apply both pins, or let preloads take precedence.

This also allows for implementations which don't need to store either the "Effective Pin Date" (only the expiration time), or "un-pinning" entries.

Thoughts?


Trevor

v2.29.0 | Report a Bug | By Email | System Status