IETF Logo Mail Archive

Re: [websec] handling STS header field extendability

"Hill, Brad" <bhill@paypal-inc.com> Mon, 13 August 2012 21:31 UTC

Return-Path: <bhill@paypal-inc.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02E8021F84E4 for <websec@ietfa.amsl.com>; Mon, 13 Aug 2012 14:31:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.117
X-Spam-Level:
X-Spam-Status: No, score=-9.117 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xmyl+1fUsTd4 for <websec@ietfa.amsl.com>; Mon, 13 Aug 2012 14:31:20 -0700 (PDT)
Received: from den-mipot-002.corp.ebay.com (den-mipot-002.corp.ebay.com [216.113.175.153]) by ietfa.amsl.com (Postfix) with ESMTP id 1454521F84B9 for <websec@ietf.org>; Mon, 13 Aug 2012 14:31:17 -0700 (PDT)
DomainKey-Signature: s=ppinc; d=paypal-inc.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:CC: Subject:Thread-Topic:Thread-Index:Date:Message-ID: References:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:x-originating-ip: x-ems-proccessed:x-ems-stamp:Content-Type: Content-Transfer-Encoding:MIME-Version:X-CFilter; b=uCE/fOEDNB5nrHtg0/f/0pdXC9yeSXXFRXBp9VF6twYa9FHLXUmettgF a9lup6ybJswyzZ8Bk08y706bEgXTnyULU0HMYsn87gCBjD95KeGVwtDKT LN3wIDQorAEKJA0;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal-inc.com; i=bhill@paypal-inc.com; q=dns/txt; s=ppinc; t=1344893477; x=1376429477; h=from:to:cc:subject:date:message-id:references: content-transfer-encoding:mime-version; bh=YKcUnsfv+V6PY0TYDs8+eix38k9vWdp5W5MKC0EJ/e0=; b=TF6kHzZPjCuyV1S9Hdls3q6ix200Sd1lNYw9EyjTdFlkIVXtKzzD7Vzh 2BMsxoNsrjbG03j63Fi2iGWurPxOP5N9RcnMYdQKhGX7ThtFNSR4XFZhJ iMU1XsGFLBqx3ft;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.77,762,1336374000"; d="scan'208,217";a="9633626"
Received: from den-vtenf-002.corp.ebay.com (HELO DEN-EXMHT-004.corp.ebay.com) ([10.101.112.213]) by den-mipot-002.corp.ebay.com with ESMTP; 13 Aug 2012 14:31:17 -0700
Received: from DEN-EXDDA-S12.corp.ebay.com ([fe80::40c1:9cf7:d21e:46c]) by DEN-EXMHT-004.corp.ebay.com ([fe80::a487:c570:9abc:bb59%14]) with mapi id 14.02.0298.004; Mon, 13 Aug 2012 15:31:13 -0600
From: "Hill, Brad" <bhill@paypal-inc.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>, Collin Jackson <collin.jackson@sv.cmu.edu>
Thread-Topic: [websec] handling STS header field extendability
Thread-Index: AQHNdnu9G2/cgF2QOE2DrHCPRwkn4JdT/HaAgAEaOQCAAvRWEIAAfk+AgAAbqYD//53BMIAAA9oQ
Date: Mon, 13 Aug 2012 21:31:11 +0000
Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E1C2866@DEN-EXDDA-S12.corp.ebay.com>
References: <5024352D.4040604@KingsMountain.com> <CAOuvq23dxoKyV2No55WEYePhVj+Fcab5cF65C1FsiqgtmEkXMA@mail.gmail.com> <CA+cU71kx4Ck2aMeSHhnpb--aZ+mRmszQdojepM4aapVn2TsR=Q@mail.gmail.com> <370C9BEB4DD6154FA963E2F79ADC6F2E1C251C@DEN-EXDDA-S12.corp.ebay.com> <CANVv-VfcVBhd7AUqsZ83dKJiDL3V=_Fd2Wmm=o7WXMiEgCAusg@mail.gmail.com> <FD1D3117-B393-417A-868F-AB954907C16C@vpnc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.245.27.242]
x-ems-proccessed: 10SqDH0iR7ekR7SRpKqm5A==
x-ems-stamp: RTNtbDiG+uAzf2lJRd2CXQ==
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter: Scanned
Cc: Ben Campbell <ben@nostrum.com>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] handling STS header field extendability
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Aug 2012 21:31:21 -0000

tl;dr version:

EV is not a security boundary today in web user agents, it is a way to get a user interface decoration.

If we want to ask browser vendors to make it into a security boundary which they will defend, we need to think about a fairly complex and broad threat model.

I'm not convinced that:

a) it's worth doing LockEV unless it's going to be a real security barrier
b) the complexity introduced in making it a real security barrier is worth it for such a rare attack

-Brad

> -----Original Message-----
> From: Hill, Brad
> Sent: Monday, August 13, 2012 2:20 PM
> To: 'Paul Hoffman'; Collin Jackson
> Cc: Ben Campbell; IETF WebSec WG
> Subject: RE: [websec] handling STS header field extendability
> 
> I have an EV certificate for www.example.com.  On the main page, it includes
> the following tag:
> 
>  <script src="https://scripts.example.com/myscript.js">
> 
> Mallory is presumably much more likely to be able to obtain a DV certificate
> for scripts.example.com than an EV cert for www.example.com.  But Mallory
> can still use the DV certificate to attack the EV content at www.example.com
> by MITMing the fetch of myscript.js, which will be transcluded into the DOM.
> 
> Or alternately, assume that Mallory gets a DV certificate for
> www.example.com which is different (and has a different key pair) from my
> legitimate EV certificate.  Mallory can still MITM content loaded in some
> frame other than the one displaying the EV indicator and gain control of that
> content because her "www.example.com" using the DV certificate is the same
> origin as my "www.example.com" using the EV one.
> 
> So, Collin is right that perhaps I'm making the case *for* LockEV, but as my
> first example shows, it would have to include a full-fledged mixed-content
> distinction between EV and non-EV, as currently exists between HTTPS and
> HTTP.
> 
> When you start to consider more modern technologies for
> intercommunication between multiple instances of client-side apps with
> things like postMessage, webRTC, etc. I wonder if you wouldn't need a full-
> fledged origin distinction on EV/non-EV, as we do today on protocol, to create
> a strong barrier, and if it is worth it and there is any appetite among browser
> vendors for such a thing.
> 
> -Brad
> 
> > -----Original Message-----
> > From: Paul Hoffman [mailto:paul.hoffman@vpnc.org]
> > Sent: Monday, August 13, 2012 2:01 PM
> > To: Collin Jackson
> > Cc: Hill, Brad; Ben Campbell; IETF WebSec WG
> > Subject: Re: [websec] handling STS header field extendability
> >
> > On Aug 13, 2012, at 12:21 PM, Collin Jackson wrote:
> >
> > > On Mon, Aug 13, 2012 at 10:58 AM, Hill, Brad <bhill@paypal-inc.com>
> > wrote:
> > >> There are, of course, non-browser HTTP clients that may respect
> > >> HSTS, but
> > EV certificates in particular are aimed at a browser audience as it is
> > about user trust indicators.
> > >>
> > >> EV is *not* a security boundary in browsers, however.  It is a
> > >> brand
> > awareness and consumer trust product.
> > >>
> > >> I am not aware of any user agents that treat EV and non-EV content
> > >> as
> > having different effective security principals for purposes of the
> > Same Origin Policy.  So, although it is more difficult to get an EV
> > certificate than a DV one, that does not provide any effective
> > security against a MITM attacker who can obtain a DV certificate.
> > Such an attacker can always act as a partial MITM and provide, using a
> > DV certificate, trojan script content in an iframe with no security
> > indicators or substitute an external script in a legitimate page and that
> script will have full access to content delivered with an EV certificate.
> > >>
> > >> I would posit that means a feature like LockEV has little to no
> > >> practical
> > value unless and until (not likely) Web user agents provide origin
> > isolation between EV and non-EV content.
> > >
> > > Quite the opposite, you just made the argument in favor of LockEV.
> > > If LockEV is being used, the MITM attack with a DV certificate would
> > > no longer be possible, because the DV certificate would not be
> > > accepted by the browser.
> >
> > In what case is that attack useful? The public key would still be the
> > one that the site thought they had an EV cert for.
> >
> > Confused...
> >
> > --Paul Hoffman

v2.23.0 | Report a Bug | By Email