IETF Logo Mail Archive

Re: [websec] A few comments on draft-ietf-websec-key-pinning

Yoav Nir <ynir@checkpoint.com> Mon, 12 December 2011 14:57 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CD3821F8B57 for <websec@ietfa.amsl.com>; Mon, 12 Dec 2011 06:57:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.569
X-Spam-Level:
X-Spam-Status: No, score=-10.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dZZ46ewVsrUq for <websec@ietfa.amsl.com>; Mon, 12 Dec 2011 06:57:19 -0800 (PST)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 1EC7321F8B54 for <websec@ietf.org>; Mon, 12 Dec 2011 06:57:18 -0800 (PST)
X-CheckPoint: {4EE614F7-0-1B221DC2-1FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id pBCEvG5V021176; Mon, 12 Dec 2011 16:57:16 +0200
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Mon, 12 Dec 2011 16:57:16 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Date: Mon, 12 Dec 2011 16:57:34 +0200
Thread-Topic: [websec] A few comments on draft-ietf-websec-key-pinning
Thread-Index: Acy43lavfvwSbCXnRPGWihkJFs86yg==
Message-ID: <39133E20-4136-4AA4-B7C6-48DC1299109E@checkpoint.com>
References: <7C746AD7-9448-4883-9A30-85A2E72C8AF5@gmail.com> <32ED4792-4720-471A-A074-ECDAA172CC47@vpnc.org>
In-Reply-To: <32ED4792-4720-471A-A074-ECDAA172CC47@vpnc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] A few comments on draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Dec 2011 14:57:20 -0000

On Dec 12, 2011, at 2:38 AM, Paul Hoffman wrote:

> Greetings again. Alexey asked me to review draft-ietf-websec-key-pinning with an eye towards which areas are likely to need more work. I hope the following comments are helpful.
> 
> - There needs to be an early balancing the advantages of pinning versus the disadvantages. A description of the possible downsides should be at least partially listed in Section 1, with a pointer to the Security Considerations.
> 
> - Some of the significant disadvantages of pinning are not covered. The biggest of these (although I could be wrong) is that an MITM can start using the pinning header with a long max-age before the "real" site has used the pinning header. When the user finally gets to the "real" site, they will not connect to it because of the MITM's pin, giving the MITM a second attempt to come back later. There are probably some other nasty consequences of this. 

Section 2.3 does say that pins must only be noted if they come over an error-free HTTPS connection, where the chain contains the pinned SPKI. So the MITM would have to be able to take over the DNS (at least for a while) as in the attack described by David on 11-Dec.
Maybe we can mitigate this with a version of this header (or another one) that says "no pins for the next x seconds"

> 
> - While hash agility is a good thing, the current draft's way of doing this is not the right way. I propose that it instead be changed to "must be sha-256 or sha-384, and later algorithms can be added only by an RFC updating this document".

A year from now, "sha-256" is going to be ambiguous. Better to say "sha2-256".

> 
> - The first paragraph of Section 3 should have its own sub-head to clarify that it is not superior to the text in Section 3.1. But, more importantly, Section 3 needs to list the areas where this protocol gives an MITM better attacks than they have now, and should list those first.
> 
> Early nit: The first paragraph of Section 1 makes it sound like the pinning header "does not scale"; this is clearly not what is intended.
> 
> --Paul Hoffman
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
> 
> Scanned by Check Point Total Security Gateway.

v2.23.0 | Report a Bug | By Email