IETF Logo Mail Archive

Re: [websec] I-D Action: draft-nir-websec-extended-origin-00.txt

Yoav Nir <ynir@checkpoint.com> Thu, 23 February 2012 14:58 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D35921F87B6 for <websec@ietfa.amsl.com>; Thu, 23 Feb 2012 06:58:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.168
X-Spam-Level:
X-Spam-Status: No, score=-9.168 tagged_above=-999 required=5 tests=[AWL=-1.170, BAYES_50=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K7v7GoeMq713 for <websec@ietfa.amsl.com>; Thu, 23 Feb 2012 06:58:44 -0800 (PST)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 61A0C21F87C3 for <websec@ietf.org>; Thu, 23 Feb 2012 06:58:43 -0800 (PST)
X-CheckPoint: {4F464FF3-1-1B221DC2-1FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q1NEwekk023858; Thu, 23 Feb 2012 16:58:41 +0200
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Thu, 23 Feb 2012 16:58:40 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Date: Thu, 23 Feb 2012 16:58:43 +0200
Thread-Topic: I-D Action: draft-nir-websec-extended-origin-00.txt
Thread-Index: AczyO6ClayzDt7DeQim8fjl7FzrVqw==
Message-ID: <7BC9C725-9604-49C9-9A6B-B24B6B088B0A@checkpoint.com>
References: <20120202220021.31936.37346.idtracker@ietfa.amsl.com> <C35E9FBD-8AF7-4F63-B798-1316B985E032@checkpoint.com> <255B9BB34FB7D647A506DC292726F6E114EC261141@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E114EC261141@WSMSG3153V.srv.dir.telstra.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: multipart/alternative; boundary="_000_7BC9C725960449C99A6BB24B6B088B0Acheckpointcom_"
MIME-Version: 1.0
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] I-D Action: draft-nir-websec-extended-origin-00.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2012 14:58:45 -0000

Hi James, thanks for reviewing.

The scheme that you propose (a.sslvpn.example.com<http://a.sslvpn.example.com>, b.sslvpn.example.com<http://b.sslvpn.example.com>, etc.) really does work. In fact, the product that my company makes offers this as an option.

Sadly, our customers don't like it, hence the other option.  Using multiple FQDNs requires them to either buy multiple certificates, or a wildcard certificate, both options are more expensive. Additionally this requires them to add multiple DNS records, which for some reason they find cumbersome.

About your other comments:

1) (no need for multiple headers) I agree. I think I will change this in -01. I don't really think stacking portals is a good engineering idea. I just added this for completeness, and I can replace it with text along your comment

2) I don't see that it makes much of a difference. I can do it either way. Can you explain what is the advantage of this over the pseudo-fragment format?

Thanks

Yoav

On Feb 23, 2012, at 2:26 AM, Manger, James H wrote:

>> Title           : A More Granular Web Origin Concept
>> Filename   : draft-nir-websec-extended-origin-00.txt


> I have just submitted this draft. The purpose of this is to address the case where a single portal hides several real servers behind it, by translating their URLs into URL that seem to be from that server.
>
> In that case the same origin policy is not enforced correctly, because cookies and scripts from one server behind the portal (for example, a mail server) can be shared and can affect pages form another server behind the same portal.
>
> This draft proposes a header that will tell the client (browser) what the real origin is, and allow the client to apply the SOP.


Yoav,

SSL VPNs that proxy a whole bunch of web sites via a single host are indeed a security problem as they break the same-origin protections that the individual web sites expect. However, I don’t think this draft’s solution is the best approach. It requires browsers to fix what SSL VPN’s have broken; and doesn’t provide much improvement until the new functionality is implemented in all browsers and deployed to most users.

Wouldn’t it be better for SSL VPNs to use lots of sub-domains? For instance, to map internal sites to:
 https://a.sslvpn.example.com/webmail
  https://b.sslvpn.example.com/wiki/index.html
  https://c.sslvpn.example.com/stuff


If the “Extended-Origin” HTTP header approach does proceed…

1] You don’t need multiple Extended-Origin headers for successive portals in a path. A portal about to insert a header can just take into account any existing value if present. That is, insert a single Extended-Origin response header that is unique for each combination of {original-domain; original-extended-origin-header-value}.

2] I think it would be better to serialize an extended-origin as an additional sub-domain, not a fragment. The sub-domain could have a prefix so it cannot (or is highly unlikely to) clash with a real sub-domain. Example:
→ GET https://sslvpn.example.com/xyz
← Extended-Origin: asdhgasghd
→ Origin: https://xb--asdhgasghd.sslvpn.example.com

v2.23.0 | Report a Bug | By Email