Re: [websec] draft-ietf-websec-key-pinning

Yoav Nir <ynir.ietf@gmail.com> Sat, 06 September 2014 09:39 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CDA21A01FF for <websec@ietfa.amsl.com>; Sat, 6 Sep 2014 02:39:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AlYaEWdvGuGM for <websec@ietfa.amsl.com>; Sat, 6 Sep 2014 02:39:09 -0700 (PDT)
Received: from mail-we0-x236.google.com (mail-we0-x236.google.com [IPv6:2a00:1450:400c:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B54F1A0201 for <websec@ietf.org>; Sat, 6 Sep 2014 02:39:09 -0700 (PDT)
Received: by mail-we0-f182.google.com with SMTP id w62so12777075wes.13 for <websec@ietf.org>; Sat, 06 Sep 2014 02:39:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=5Hu+5HzEOZ6hUBP/kzdUCW1D612ZU8GnpIZ9lq/qr3c=; b=jawAqqHcROmOjxkG6JlSoh4/F2Z4knlB7ZhCLZLjwHRf06DIl1/krUBKOU+LOdHllq cAWuY2Vqnebt6JR8m3/PzgE0ZBABVq4YiY4kZbPr7RUrUX50mc008cZ/X5A48cfi9keY dHOHHVbNIwof0RIyt3qmbo2rXsJmKnj1BSUTLbjtvKsdDFayNqLXmryCPCBv0TkSQos2 8+btlnvaM0OFLAUnqr52zkq4MSeL51eohGZpuyQZxxLtNP96r+kvZHfqy3TsKqrdsTz3 c3jliRDEhzv4/gpxG2Zq3gCudjLYVxcHd0Gy92VTzQ4YS4HyiOp297xoDvRoCB4iVOAS DwGQ==
X-Received: by 10.180.38.84 with SMTP id e20mr8969453wik.43.1409996348005; Sat, 06 Sep 2014 02:39:08 -0700 (PDT)
Received: from [192.168.1.100] (IGLD-84-228-139-90.inter.net.il. [84.228.139.90]) by mx.google.com with ESMTPSA id xn15sm4590672wib.13.2014.09.06.02.39.06 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 06 Sep 2014 02:39:07 -0700 (PDT)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <5409A7B7.5040206@gondrom.org>
Date: Sat, 06 Sep 2014 12:39:05 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <54CD99ED-CC3C-41A8-AEBC-C35B64232B32@gmail.com>
References: <CACvaWvZNpAepBmWchLMirfPdxu4ed=vH1qwMppAjw1P9S+4quw@mail.gmail.com> <BAY169-DS311951F23960F4605A0CB0AEDA0@phx.gbl> <35F981DA-46C4-44D7-8582-25BF8BF1B31A@gmail.com> <BAY169-DS421419C50B5700132829BBAEDA0@phx.gbl> <CAGZ8ZG2S5XxyAkL=vr2VbCzKA2bfGk2FxK9RYGiBtMmG7UPraA@mail.gmail.com> <CACvaWvY3-6LMECBsobpgi-Uj2iUz0PNTsqZdiHUeuw-J9Tu_KQ@mail.gmail.com> <CAGZ8ZG1ohK0CH=ss+ynjpaedEGUTA_GwuSoueh2X2YQ7J-T=4w@mail.gmail.com> <CACvaWvYTFEN2bm3FAENZHKFyWAx1hmzB4-NN4VB3=x1PXSLRCw@mail.gmail.com> <5409A7B7.5040206@gondrom.org>
To: Ryan Sleevi <sleevi@google.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/B6fOGA6K4KOOAXru5E-7Zvo6554
Cc: draft-ietf-websec-key-pinning <draft-ietf-websec-key-pinning@tools.ietf.org>, "<websec@ietf.org>" <websec@ietf.org>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Sep 2014 09:39:17 -0000

Hi

I agree with Tobias.

The attack that Trevor describes is done by a TLS MitM. TLS MitM can be either trusted or not trusted. 

Non-trusted MitM is not a problem. Even if the user is allowed to click through the interstitial and get the page, the browser still considers the connection insecure (red slash in the UI of Chrome) and the draft says not to note a pin in that case (Section 2.5: "It received the PKP response header field over an error-free TLS connection.”)

Trusted MitM are a bigger issue. I know that Google’s implementation disables pinning for trusted MitM, but even UAs that won’t make a distinction between regular trusted CA and MitM CA won’t pin the data, because the pins (that come from the origin server) will not match the public keys (that come from the proxy). The only issue is if the MitM is malicious and stores its own pins via the PKP-RO headers, causing the UA to be tracked by sending reports to the attacker whenever they access the website.

I think it’s important in this case that the MitM is trusted, meaning that the user (or their IT department) installed that root trust anchor. In that case the user has to trust that this root CA won’t do harm. That’s part of the trust. This scenario may deserve a sentence or two in the security considerations, not a change in the protocol.

Yoav
(with chair and shepherd hat on)