IETF Logo Mail Archive

Re: [websec] New draft of HTTP header-based public key pinning

Chris Evans <cevans@google.com> Wed, 09 November 2011 03:59 UTC

Return-Path: <cevans@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A403811E80D7 for <websec@ietfa.amsl.com>; Tue, 8 Nov 2011 19:59:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.976
X-Spam-Level:
X-Spam-Status: No, score=-102.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5LsJkLa3fc3W for <websec@ietfa.amsl.com>; Tue, 8 Nov 2011 19:59:58 -0800 (PST)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id BE84E21F8511 for <websec@ietf.org>; Tue, 8 Nov 2011 19:59:58 -0800 (PST)
Received: by ywt2 with SMTP id 2so1559173ywt.31 for <websec@ietf.org>; Tue, 08 Nov 2011 19:59:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-system-of-record; bh=5qsPdkB0wghE7O5iPiVfwLhcQejW1mq8UKhcF7QA3PU=; b=jAmkj4Zpj9aDmP8MGd3g2vDyOsiXKpWl8M4qaJZ/QBQddNmuXm1SSPBxtYMBboiRdH UbP7+fQjabrrfjZUR5Yg==
Received: by 10.100.49.27 with SMTP id w27mr330259anw.134.1320811198150; Tue, 08 Nov 2011 19:59:58 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.49.27 with SMTP id w27mr330242anw.134.1320811197950; Tue, 08 Nov 2011 19:59:57 -0800 (PST)
Received: by 10.150.227.6 with HTTP; Tue, 8 Nov 2011 19:59:57 -0800 (PST)
In-Reply-To: <5EE049BA3C6538409BBE6F1760F328ABEBED718018@DEN-MEXMS-001.corp.ebay.com>
References: <CAOuvq21Ne0CWT3Dzn0sutGDBg0K+efZhxmqBZiLuxbO2OwxnFg@mail.gmail.com> <CA+cU71kFFpuooyiBTarvLT3VJigZhW0BgpQi1gMTn7zB=sFh+w@mail.gmail.com> <CAOuvq20uCZsp80yJ6gjeh-AGVswu3GTPuSYYCGyXPWpO-RJpsA@mail.gmail.com> <5EE049BA3C6538409BBE6F1760F328ABEBED718018@DEN-MEXMS-001.corp.ebay.com>
Date: Tue, 08 Nov 2011 19:59:57 -0800
Message-ID: <CAFmnb5+vSowXjnutYwqg59mOjxBQj4NySofU-ASYwQDreYqfNg@mail.gmail.com>
From: Chris Evans <cevans@google.com>
To: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>
Content-Type: multipart/alternative; boundary="001485f87bb044ece404b145521f"
X-System-Of-Record: true
X-Mailman-Approved-At: Tue, 08 Nov 2011 21:35:43 -0800
Cc: Ian Fette <ifette@google.com>, IETF WebSec WG <websec@ietf.org>, Wan-Teh Chang <wtc@google.com>
Subject: Re: [websec] New draft of HTTP header-based public key pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2011 04:00:18 -0000

On Tue, Nov 8, 2011 at 7:48 PM, Steingruebl, Andy <
asteingruebl@paypal-inc.com> wrote:

> > -----Original Message-----
> > From:  Chris Palmer
>
>
> > >  - There is no directive or suggestion to User Agents about saving or
> > > not saving pins received in a private browsing mode.  Maybe there
> > > shouldn't be, but if a User-Agent does save them, the same 304/ETag
> > > trick malicious sites use to track users can be created using certs
> > > and subdomains.
> >
> > Yes, another person raised this concern, and it is real. I don't see a
> way to
> > resolve this problem; perhaps I am not smart enough, but I can't see a
> way to
> > have both dynamic pinning AND avoid this tracking attack.
> >
> > I am willing to add a paragraph about what browsers should do in private
> > browsing mode, and I am willing to go either way on what the requirement
> > should be. I don't know what is best.
>
> We battled this problem with HSTS as well.  I think what Mozilla settled
> on (and I don't remember the Chrome solution) is to use a different storage
> mechanism when HSTS is *set* during private browsing mode, and clear on
> exit from private browsing.
>

I recently fixed Chrome's behaviour here to be (barring regressions):
- _New_ HSTS metadata encountered in incognito mode is saved in-memory for
the duration of the incognito session, but never persisted to disk, or seen
outside of the incognito windows.
- Incognito mode _will_ use HSTS metadata that was already persisted to
disk at the start of the incognito session.

That seemed like a solid balance between the various privacy vs. security
concerns.


> Clearing history/cookies on the browser is similarly problematic for HSTS
> and pinning.  This is unfortunate in that we'd really like it to be hard
> for users to clear HSTS state because it is "good for them".  Not clear
> whether this belongs in the spec, or a set of implementation guidelines.
>  Folks got squeamish here about talking about exact UA behavior, etc.
>

For Chrome, I believe it is tied to cookies: "Cookies and other site data".
Last I talked with Sid at Firefox, they were thinking of splitting off
cookies from other site data. I'm not sure where that went. It also gets
complicated: is HTML5 database / indexed storage "cookies" or "other site
data", etc. etc.

I'd recommend we stay out of providing exact UA requirements here other
than a "SHOULD" for providing _some_ user-friendly way to clear HSTS
metadata. Realistically, it's a pretty small percentage of the browsing
population that go in and fiddle with storage settings.


Cheers
Chris


> There is a Firefox bugzilla bug about this issue, I'll try to go find it
> and post back here unless someone beats me to it.
>
> - Andy
>
>

v2.23.0 | Report a Bug | By Email