Re: [websec] Fwd: [secdir] SecDir review of draft-williams-websec-session-continue-prob-00

Ben Laurie <benl@google.com> Thu, 07 February 2013 08:10 UTC

Return-Path: <benl@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A9FB21F8903 for <websec@ietfa.amsl.com>; Thu, 7 Feb 2013 00:10:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.978
X-Spam-Level:
X-Spam-Status: No, score=-101.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4rRZdEKDxxE7 for <websec@ietfa.amsl.com>; Thu, 7 Feb 2013 00:10:49 -0800 (PST)
Received: from mail-ie0-x229.google.com (ie-in-x0229.1e100.net [IPv6:2607:f8b0:4001:c03::229]) by ietfa.amsl.com (Postfix) with ESMTP id 99EB121F88F7 for <websec@ietf.org>; Thu, 7 Feb 2013 00:10:49 -0800 (PST)
Received: by mail-ie0-f169.google.com with SMTP id 13so3176427iea.28 for <websec@ietf.org>; Thu, 07 Feb 2013 00:10:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=raX0uomONUI3tL+8LJjB7OsIyYVTqyMwXKPY73uR4nk=; b=gyLYsH2mQnX8vKX6nQkzv7T+sICUi1ZADsifpiV26e87m6UC478XxSt8YsV/Rehr5A /eIQs8cjbtVs/iVXRKpi7Eb3lmyathAe/O8yINTL8QgsvDWYfXZeztqMuBR4iu3X8Xp5 cUF8lEnKKC6gc9Ub9XwhQylvZEgZlciJFSVLGQOUyldTbeHAInR0NV03dn2hLWPmAjyO Jg3yAebwtSaPAm5DrE/1mLK3ZZ9nu/eNzI+o2SanTFAE3RjfgfDea10nqmunM62p7qrd gPfufmMx47NNyc58JPWinXb6suaDyOeDtR51OwIHdNdTdzfusE8IDJ4/tIoXdJJoSH4m Dkqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=raX0uomONUI3tL+8LJjB7OsIyYVTqyMwXKPY73uR4nk=; b=WLyYiVl5WKVNw/deipGY7jSmrkKS6fcq9HYcfcKbocl3OPMcqAyUzmkHC+Im07cMG+ 0HJfQKBrFXvtOtqg0iplh6x+bV3ixzJsr8ds3DmRqzlmiES4xZLNUfboq9lCoHJw4ZD6 hEwFjSvfqTA9o8qLeWAZNcSHu8nDqBWRPr+4MKnie7efIUM8vOTV0H/yhI6CihbuvbFO EwT5g+OQllMi1D65+Evjbp2MVtmu1FBFNFL2fjdFu4plI64o3U6oZlU2TnJn9FCu8Xkq 6UZ/MaS2PEt+8JcR0PBqwZzeq8sIv3RPqQSqF9p5s7r+vDI1USpz9qJU7zYuBbjNpeYX +SWQ==
MIME-Version: 1.0
X-Received: by 10.50.222.195 with SMTP id qo3mr881823igc.14.1360224649093; Thu, 07 Feb 2013 00:10:49 -0800 (PST)
Received: by 10.64.5.168 with HTTP; Thu, 7 Feb 2013 00:10:48 -0800 (PST)
In-Reply-To: <4613980CFC78314ABFD7F85CC30277211199DCC1@IL-EX10.ad.checkpoint.com>
References: <CABrd9SR0-RTAWnK_g3N8cPStcQfMcFn-8Eq=Ny6xiADYY3NR+w@mail.gmail.com> <4613980CFC78314ABFD7F85CC30277211199DCC1@IL-EX10.ad.checkpoint.com>
Date: Thu, 7 Feb 2013 08:10:48 +0000
Message-ID: <CABrd9SRk4HrGwnMvEDf+cx6gEaiAnr0js8bAY9b5VW+xpaDgbA@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Yoav Nir <ynir@checkpoint.com>, "secdir@ietf.org" <secdir@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQnjiLtS7tP6oRa2sfhBoNHDHOLaf3cbjKPLDCc8leyAAfAXCmcr4ilvu6Qd1TyzVUWysw9VOx42zAlBkuGRMEULEGYIPjyfDG3T+NOns6xa5vZaHjWXpra2IJfO2mniE8jQXEalXPtvWmdsDZ23DIuX4Zi5T+ugcoeVbKH4bOktHpK397JAshQ90K/nCtW2zUnRG6rG
Cc: "ietf-websec-sessions@googlegroups.com" <ietf-websec-sessions@googlegroups.com>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Fwd: [secdir] SecDir review of draft-williams-websec-session-continue-prob-00
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2013 08:10:50 -0000

On 7 February 2013 07:46, Yoav Nir <ynir@checkpoint.com> wrote (that I wrote):
> " 10. Must work across all types of proxies. Proxies that can modify
>
>        the plaintext HTTP requests and responses can (but should not)
>        interfere with any session continuation protocol."
>
> A man-in-the-middle is a type of proxy, so this seems like an
> unsatisfiable requirement.

Actually, that's not quite right. Protocols can work across a proxy,
but what's required is that the proxy does not gain the ability to
pretend to be one of the endpoints.

If you satisfy this, then a MitM can snoop, but can't masquerade.

But this seems to impose quite a strong constraint on the protocol: in
particular, future traffic must somehow be bound to the (end-to-end)
session continuation.