Re: [websec] Review of draft-evans-palmer-hsts-pinning-00
Tom Ritter <tom@ritter.vg> Sat, 15 October 2011 01:04 UTC
Return-Path: <tom@ritter.vg>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96EAF21F8CFA for <websec@ietfa.amsl.com>; Fri, 14 Oct 2011 18:04:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id II8vynNsXedj for <websec@ietfa.amsl.com>; Fri, 14 Oct 2011 18:04:39 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id C0DE621F8CE9 for <websec@ietf.org>; Fri, 14 Oct 2011 18:04:39 -0700 (PDT)
Received: by iabn5 with SMTP id n5so3321066iab.31 for <websec@ietf.org>; Fri, 14 Oct 2011 18:04:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; bh=EJVwnEzRcgXWz8UVphxzmAxth6xmEpID961dKSfrMf4=; b=gaUq+ii2ISP4wtSG2VzJLfYVnOtjyvQIpLbWBiopSFKUc/WokiettLtOiTnMZYWRXh uudrW3ZPz2yXPwK7KdI/dJga9ZOja+vf4wDh/BkPGzIcxOum8zwVG1XRgiYUCqIDG6cc ES9H/21LWMEu/HW4hxLDVxiIcwrLYn4h8YRN8=
Received: by 10.68.29.199 with SMTP id m7mr20069601pbh.112.1318640679079; Fri, 14 Oct 2011 18:04:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.245.1 with HTTP; Fri, 14 Oct 2011 18:04:19 -0700 (PDT)
In-Reply-To: <4E98B208.7080201@KingsMountain.com>
References: <4E98B208.7080201@KingsMountain.com>
From: Tom Ritter <tom@ritter.vg>
Date: Fri, 14 Oct 2011 21:04:19 -0400
Message-ID: <CA+cU71m9LcDuPFQk4DeDjmuwRn55jrsUe+km-d4o+_5dvFvPMQ@mail.gmail.com>
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [websec] Review of draft-evans-palmer-hsts-pinning-00
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Oct 2011 01:04:40 -0000
I'm excited about this draft. > > Note that to validate pins, UAs must necessarily read the headers of > > a response. > [5] response = HTTP response? > This implies that the pin check machinery is up at the HTTP layer rather than down lower in or near the TLS layer, which implies that the UA can make normal HTTP requests to a bogus Known Pinned Host, and send cookies, before realizing that the pin check has failed. > This is a fundamental security issue. I don't think this is worded correctly. If a site is a Known Pinned Host, the pin check should occur after recieving the certificate chain, but before the TLS session is wholly established. If this check does not pass, the connection is aborted.[1] If a pin check occured at the HTTP layer and does occur after a TLS session has been established, data was sent by the client, and the response received - I see only two things that could happen that would be 'new' to the User Agent. 1) 'Oh, this site supports pinning. I didn't know that. I'll note it down as a Known Pinned Host. Let me check the pins just to be sane.' This check wouldn't actually provide any security (that's what preloading is for) - if the pins didn't match, either the server is messed up or the attacker was incompetant because they could have changed the pins. 2) 'I just recieved an unpin directive for the certificate I just used to connect.' This is again a case of the server being messed up. [2] So I think the existing wording is wrong, and better wording would be something like: Upon receipt of this header field, the UA will note the HSTS Host as a Known Pinned HSTS Host if it was previously not. When connecting to a Known Pinned HSTS Host, the UA will compare the public key fingerprint(s) in the Host's certificate chain to the pinned fingerprints, and will fail closed before sending a HTTP request unless at least one public key in the chain has a fingerprint matching one of the pinned fingerprints. (Following the HSTS specification, TLS errors for HSTS hosts must be hard, with no chance for the user to click through any warnings or errors. We treat fingerprint mismatch in the same way.) Where I added - "..will note the HSTS Host as a Known Pinned HSTS Host IF IT WAS PREVIOUSLY NOT." - "...will fail closed BEFORE SENDING A HTTP REQUEST unless at least...". [1] From an engineering perspective, perhaps the connection IS established because that occurs in a modular library that does not know of pinning, but the HTTP request would not be sent, because the connection would be examined outside the library. [2] Do we handle the case where Alice connects to a Known Pinned Site, recieves a valid certificate, but the certificate is unpinned in the Pinning Header? I think this is an error case, because while the initial connection is valid, any subsequent connections in the TLS session were 'fruit of the poison tree' - made using an unpinned certificate. I also think behavior should be noted explictly. I have an additional comment: this header field could grow quite large. Site operators may wish to omit it in the response in several scenarios that indicate to them the client has recieved it already. I don't see a reason this would cause any issue, I'm just noting it. -tom