Re: [websec] Question on Pinning Overrides

Chris Palmer <palmer@google.com> Mon, 20 October 2014 18:40 UTC

Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6E611A9039 for <websec@ietfa.amsl.com>; Mon, 20 Oct 2014 11:40:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.51
X-Spam-Level:
X-Spam-Status: No, score=0.51 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 17t4vJ95jVMJ for <websec@ietfa.amsl.com>; Mon, 20 Oct 2014 11:40:16 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 962F91A903D for <websec@ietf.org>; Mon, 20 Oct 2014 11:40:16 -0700 (PDT)
Received: by mail-oi0-f45.google.com with SMTP id i138so4190193oig.32 for <websec@ietf.org>; Mon, 20 Oct 2014 11:40:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=mR1n40BxwEhQLFZYtQ0ChK22hyE58lWWMYOYO3i1Hpo=; b=bE2qd0zqZvgN8M54/7VurW6BpUirAmtY0P43RWV5xA51x54qG0zuinsNmvXTqpm4oJ m7Ap9fWOTHskmKaMNFw+/Ok2aSH59Asmds4d5+tBdHafeq4+MKih+W4zwsWDY4+L2tuc 4cYfq67sbqF8xdeuZi9ZO4/SbKJ4knFzTus32Sn9Cgx7PIq3MfRLPzlgZYf+4jjC0a2y b5kx6so69SWvBX4qF0GFYv0f4nf2kK4UpjkjU2BC+44lLxQcRNsWpVFYXsiLTN6M3Gft 7pm9fX7pYwyozPB8NOvrE9PCzIGom2eQGK3CVYvmyCsHyLyDtJqg6R9tlbYGGeemugCm +NKA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=mR1n40BxwEhQLFZYtQ0ChK22hyE58lWWMYOYO3i1Hpo=; b=SVF/L8c5uz8N6h1OAvm/vMinxu0DQUlaLQwbmA+n8XPLqqkenzapaK8300I6nNdcrM fJLwUCgQjOMC3aJv7jJniEjwx7nMf7DwC1duCxrx3F8HYYJVEpCAqZF9lZVzsPWVm7gS QEWjQlQhxLfKlIomwuRXRAzY9tiVTSktnMulgqjfD5HaC43VHIPsQzqRcx0GTInXqOXB s0vy5ebxt27efT04SNJz9WPIyaCIjrC91O2P+hvzkLa/bs/YY6/PaCFVthd0np65t7gN B2AhAhZWP/a3/YBwiZQyGKuWDB9Wl/92mNxCBvgE/ptyl6oSWdqJR+E52oZe9Yeh/k4e C6TQ==
X-Gm-Message-State: ALoCoQm+YuPGieYJ929I4AYTRP8ruBUD8Lt9UtfQ6nB07OkTgeMmqZ/rd48hjpXZxkfl4t6s7Wcb
MIME-Version: 1.0
X-Received: by 10.202.3.70 with SMTP id 67mr3280753oid.69.1413830414995; Mon, 20 Oct 2014 11:40:14 -0700 (PDT)
Received: by 10.182.55.68 with HTTP; Mon, 20 Oct 2014 11:40:14 -0700 (PDT)
In-Reply-To: <CAH8yC8nDuhFAQZ-4Q9qAZavq7XGF34=6C_ngyr7tLT8moJ2dZw@mail.gmail.com>
References: <CAH8yC8nM3D6DfDg5xb8hLnqnM+6Hz_iwpRF2UR8YEbuE+fntPA@mail.gmail.com> <CAOuvq21TsAaDS0cC-=F1RPghK6UPH2rwowvnqjar0gT-R_TE6Q@mail.gmail.com> <CAH8yC8nDuhFAQZ-4Q9qAZavq7XGF34=6C_ngyr7tLT8moJ2dZw@mail.gmail.com>
Date: Mon, 20 Oct 2014 11:40:14 -0700
Message-ID: <CAOuvq2008wmY1RgKAnYPRFZ4LApj6s9awjky2QWxQQz6BJOWsw@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: noloader@gmail.com
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/GSR0quBHnKWdxJrPY_rqWQhUcDI
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Question on Pinning Overrides
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 18:40:17 -0000

On Sun, Oct 19, 2014 at 9:27 AM, Jeffrey Walton <noloader@gmail.com>; wrote:

> I think the more common cases of "I want to use my device at work" or
> "I must click through the buttons to use the wifi hotspot" is devoid
> of any user understanding and decision. In this use case, the user did
> not define a trust anchor. Rather, it was surreptitiously installed by
> the device management software or unscrupulous service providers.

To install a new trust-anchor, the attacker/owner/user/device
administrator must have administrative control over the device, or
must trick the true owner into mis-using their power.

Such an attacker is, by necessity, outside the scope of the key
pinning threat model.

http://www.chromium.org/Home/chromium-security/security-faq#TOC-How-does-key-pinning-interact-with-local-proxies-and-filters-

> In fact, the "user's decision" was likely hidden away in a Terms of
> Service when Nokia was caught performing intercept en masse [0]. In

If the device manufacturer is also taking administrative control over
devices in the field, then market pressure (such as those articles) is
the only recourse. We can't do anything technically that would not
also break legitimate use cases.