IETF Logo Mail Archive

Re: [websec] Consensus call: Issue #57 (max-max-age)

Tobias Gondrom <tobias.gondrom@gondrom.org> Wed, 22 May 2013 21:02 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CC8421F9673 for <websec@ietfa.amsl.com>; Wed, 22 May 2013 14:02:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.361
X-Spam-Level:
X-Spam-Status: No, score=-95.361 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wuQ0TvOvFHLb for <websec@ietfa.amsl.com>; Wed, 22 May 2013 14:02:15 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id 7131E21F964C for <websec@ietf.org>; Wed, 22 May 2013 14:02:13 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=YS5EdMdUAm2DyY1tU980MfJTNGzbJMhusWbraCX+EQGMfR+nVGic3ttSDFaAvS/LL4c6FHMCch7eOCFg8L60uDRKTnAtA15iZMWD89eFYxxqNu9rUe5aB7AB5An45mWP; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type;
Received: (qmail 4077 invoked from network); 22 May 2013 23:02:12 +0200
Received: from 188-222-102-61.zone13.bethere.co.uk (HELO ?192.168.1.86?) (188.222.102.61) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 22 May 2013 23:02:12 +0200
Message-ID: <519D3254.1040508@gondrom.org>
Date: Wed, 22 May 2013 22:02:12 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: trevp@trevp.net
References: <43C5DE99-43EB-42FC-8F61-24F9A9429FD1@checkpoint.com> <CA+cU71=Q_QkHqiQ95AZgw8Bi7U_mgCi4icMypwFUp1C6i=apUA@mail.gmail.com> <518EE510.9060600@it.aoyama.ac.jp> <8450797E-818C-445C-ABD2-1B8F9AE1DBB9@checkpoint.com> <5194918A.7030300@gondrom.org> <CAGZ8ZG0SWZD9e-NP2RhQMQ-=F5JUCCytF2NYTdWH7u13hhBqqQ@mail.gmail.com>
In-Reply-To: <CAGZ8ZG0SWZD9e-NP2RhQMQ-=F5JUCCytF2NYTdWH7u13hhBqqQ@mail.gmail.com>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/alternative; boundary="------------060805060201080100030701"
Cc: websec@ietf.org
Subject: Re: [websec] Consensus call: Issue #57 (max-max-age)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 May 2013 21:02:20 -0000

<hat="individual">

Hi Trevor, hi all,

thanks for the thoughts.
Maybe a few comments and a question inline.


On 18/05/13 18:40, Trevor Perrin wrote:
>
> Hi Tobias, all,
>
> I think Tobias gives a fair summary of the arguments against a 30-day
> spec limit.  Let me summarize the opposing arguments:
>
>
> On Thu, May 16, 2013 at 12:58 AM, Tobias Gondrom
> <tobias.gondrom@gondrom.org <mailto:tobias.gondrom@gondrom.org>> wrote:
>
>
>     as mentioned before: I believe a time limit of 1 month is too short
>     considering that some of the high profile use cases (banks, etc.) may
>     only have monthly or bi-monthly usage. In which case the key pin would
>     regularly expire before people return to the site and the
>     protection is
>     null.
>
>
> You're assuming that pin assertions (like HPKP headers) are only
> processed by individual browsers. 
>
> I hope pin assertions will *also* be processed by web crawlers to
> create pin lists which are made available to browsers (via preloaded
> lists, secure links, online lookups, etc.)
>
> In that case, having pins last a month (instead of shorter) keeps the
> frequency of re-crawling sites and re-downloading pin lists
> manageable.  Longer pins wouldn't be a big improvement.#

The web crawler idea could be interesting as a solution to early pin
expiry if we would have a hard limit in the RFC, but only if _all_
browsers will implement and use them. Which from my current
understanding is not on the horizon. At least I have seen no such
indications. Otherwise you get the varying implementations through
"creative approaches" you are worried about down below (and which I
don't like either).

And maybe a question to go a step further:
Would you agree that if we would do a 30-day hard limit as you propose,
this would basically mean that all less frequent banking/paypal/...
users MUST (or a very strong SHOULD) use such a web crawler to make sure
that their pin has not expired before they come back?
This would be a big problem in my eyes, as IMHO this assumption can not
be guaranteed nor expected to be rolled out consistently.

>  
>
>     And regarding some of the concerns of pro-longed malicious bricking by
>     an attacker after an attack has been resolved:
>     Two scenarios:
>     1. I believe if we have a time limit of more than 1 month we need a
>     different mechanism (e.g. user actively flushing the key cache)
>     anyway.
>     2. in the case of high frequency sites (like you mentioned Facebook),
>     imagine even a 1 month brick time would already be considered
>     unacceptable too long by most users (in fact probably everything
>     above a
>     few hours would be considered too long) and trigger user action to
>     flush
>     the cache.
>
>
> Agreed that a 30-day limit is not, by itself, sufficient mitigation
> against "malicious bricking by an attacker after an attack".  I
> suspect pinning will need several additional mechanisms to prevent,
> limit, and recover from such attacks.  "Pin activation" is one
> mechanism I think is particularly helpful, for this case.
>
> A 30-day spec limit is more important for other reasons:
>  1) Domain name transfers (sales, disputes, reclaiming hijacked
> domains, etc.)
>  2) Preventing long-term lock-in.  E.g. you are pinned to CA keys
> which you lose trust in and suspect might be participating in MITM
> attacks; you are not bricked, but you are unable to change to a
> different CA and assert new CA pins until the old pins expire.
>  3) Pruning the amount of pin history you must keep your site
> consistent with (Do you remember what pins you or the previous domain
> owner asserted 6 month ago? 6 years ago? ever?  They might still be
> out there, waiting to trip you up).

Hm, in my view case #2 and #3 are about your own pinning time frames and
should be ok with recommendations, but would not require hard limits in
the draft. And in fact as we have multiple pins in the header we have a
migration path from A to B during that transition.

Reading your cases, it feels to me #1 the malicious domain name transfer
is the strongest case.
Is that in your opinion as well?
I am wondering how often that would happen? And whether we should not be
solving this through other means? (e.g. flushing the cache, reseting
this domain pin due to legal action or whatever?)

Overall, I still think it would be better not to assert a hard time
limit of 30 days in the doc.

(and if at all a time limit would be there, it should be at least 60
days, to cover users who revisit sites once per month which I imagine
many banking etc. users may do...).

I would be very interested to also read from others on the mailing-list
and the editors of the draft about their opinion on the web crawler, and
the use cases?

Best regards, Tobias

v2.23.0 | Report a Bug | By Email