Re: [websec] Decouple HSTS's two orthogonal effects?
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 29 March 2011 19:21 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: websec@core3.amsl.com
Delivered-To: websec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1C97E3A6A2A for <websec@core3.amsl.com>; Tue, 29 Mar 2011 12:21:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.044
X-Spam-Level:
X-Spam-Status: No, score=-2.044 tagged_above=-999 required=5 tests=[AWL=0.555, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s-B2IzO29eLr for <websec@core3.amsl.com>; Tue, 29 Mar 2011 12:21:05 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by core3.amsl.com (Postfix) with ESMTP id 883603A693C for <websec@ietf.org>; Tue, 29 Mar 2011 12:21:05 -0700 (PDT)
Received: from [192.168.13.75] (lair.fifthhorseman.net [216.254.116.241]) by che.mayfirst.org (Postfix) with ESMTPSA id 76BF6F975 for <websec@ietf.org>; Tue, 29 Mar 2011 15:22:42 -0400 (EDT)
Message-ID: <4D92317B.6020804@fifthhorseman.net>
Date: Tue, 29 Mar 2011 15:22:35 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.15) Gecko/20110309 Icedove/3.1.9
MIME-Version: 1.0
To: websec@ietf.org
X-Enigmail-Version: 1.1.2
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="------------enig6E0C0622258EE01E10E8ECB2"
Subject: Re: [websec] Decouple HSTS's two orthogonal effects?
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: websec@ietf.org
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2011 19:21:07 -0000
(sorry for breaking the thread -- i'm only recently subscribed, and i don't see a way to extract the message-id from the archives: https://www.ietf.org/mail-archive/web/websec/current/msg00282.html so i can't add a References: header) FWIW, the coupling of the two orthogonal requirements for HSTS has the effect of further entrenching the current (broken) CA model by making it more difficult for alternate certificate verification models (e.g. TOFU, corroborative certification, etc) to work with HSTS-enabled sites. For example, the monkeysphere project (i'm a contributor to it) is now seeing difficulty providing alternate certificate verification on HSTS-enabled sites: https://labs.riseup.net/code/issues/2852 As a monkeysphere developer, as someone interested in security on the 'net, and as someone critical of the social/economic dynamics of the current CA cartel, i think that the tight coupling of the two orthogonal effects within HSTS has an overall negative effect. Concretely, it makes it *more* difficult for security-conscious users to remove known-sloppy CAs from their trusted-root lists, whether they choose to rely on a TOFU approach, Perspectives-style notaries, corroborative certification via OpenPGP, etc. HSTS can do a lot of good just by fixing the trivial protocol-downgrade (HTTPS->HTTP, e.g. sslstrip, cookie-stealing via spoofed plaintext img src, etc) attack for sites that indicate it. By forcing websites to also buy into (and thereby support) the CA cartel, we're asking site operators to decide on a tradeoff between (a) losing protection against protocol downgrade and (b) encouraging their users to rely on a known-insecure cartel. I think this is a poor tradeoff, and would like to see these choices de-coupled. If there is no consensus about de-coupling the effects in HSTS directly, I'd like to propose an additional STS directive: ; defined STS directives STS-d-cur = maxAge / includeSubDomains would become ; defined STS directives STS-d-cur = maxAge / includeSubDomains / alternateCertModels The presence of the alternateCertModels directive would allow User Agents to validate the certificate via other means than the traditional (vulnerable) X.509 chaining to the weakest-link-of-the-huge-pile-of-root-CAs (e.g. via existing user-driven certificate exceptions or browser extensions relying on the same mechanism). Any thoughts? --dkg
- [websec] Decouple HSTS's two orthogonal effects? Matt McCutchen
- Re: [websec] Decouple HSTS's two orthogonal effec… Tom Ritter
- Re: [websec] Decouple HSTS's two orthogonal effec… Devdatta Akhawe
- Re: [websec] Decouple HSTS's two orthogonal effec… Tobias Gondrom
- Re: [websec] Decouple HSTS's two orthogonal effec… =JeffH
- Re: [websec] Decouple HSTS's two orthogonal effec… Daniel Kahn Gillmor
- Re: [websec] Decouple HSTS's two orthogonal effec… Yoav Nir
- Re: [websec] Decouple HSTS's two orthogonal effec… Adam Barth
- Re: [websec] Decouple HSTS's two orthogonal effec… Tom Ritter
- Re: [websec] Decouple HSTS's two orthogonal effec… Adam Barth
- Re: [websec] Decouple HSTS's two orthogonal effec… Daniel Kahn Gillmor
- Re: [websec] Decouple HSTS's two orthogonal effec… Adam Barth
- Re: [websec] Decouple HSTS's two orthogonal effec… Phillip Hallam-Baker