Re: [websec] Comments on draft-ietf-websec-key-pinning

Joseph Bonneau <jbonneau@gmail.com> Thu, 19 February 2015 18:01 UTC

Return-Path: <jbonneau@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DB1D1A1EEF for <websec@ietfa.amsl.com>; Thu, 19 Feb 2015 10:01:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HzDxw_zFs7-Z for <websec@ietfa.amsl.com>; Thu, 19 Feb 2015 10:01:09 -0800 (PST)
Received: from mail-lb0-x22e.google.com (mail-lb0-x22e.google.com [IPv6:2a00:1450:4010:c04::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E93C31A1B7D for <websec@ietf.org>; Thu, 19 Feb 2015 10:01:08 -0800 (PST)
Received: by lbvp9 with SMTP id p9so1477993lbv.3 for <websec@ietf.org>; Thu, 19 Feb 2015 10:01:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=SMHWrs0wxcdQuIgjErO9yacoVoOwrxKhPO864Z5HWA0=; b=q8xjhKIwCao3v9VDy4xb5s6WET3OHuTqEcGvgeeBhPwNAcxHRmwWp7jo11aorqS1ls bkH58B3URNV2BR8k1cNzHRIT4OTuJlmPEZEeHymMIu8lnlNTmlTKROsf9D/xSYG71bmB +dTs/MlqpaeC6jVyXFfCWEXSn1P5KFBp7YutJWLXoQpqtX/put3sGfDRlUvmQUUxOq05 gBAnSQtH5d22pHXBkxS2GoKPDdk1L6nKX42IbKIzaEWUWgmWwahilYfNOigl/CCgBcM3 zT53N3XmPr2E6E6XvpyaNW69Pf4TOzGZQq9JNOmPflsN4sF3uy2u1X5WbuwiWwWLj1ZE 6USQ==
X-Received: by 10.152.2.227 with SMTP id 3mr4841901lax.85.1424368867280; Thu, 19 Feb 2015 10:01:07 -0800 (PST)
MIME-Version: 1.0
Received: by 10.112.227.102 with HTTP; Thu, 19 Feb 2015 10:00:47 -0800 (PST)
In-Reply-To: <CAH8yC8==Bkw_65UALEgz73djDyQFnw5m3bHY0Wav=ABvi9ORVA@mail.gmail.com>
References: <CAH8yC8=XEr9q8VHarucKa0rVqSPt3=oDzDRWXA3_u4rkhpZmoQ@mail.gmail.com> <CAH8yC8==Bkw_65UALEgz73djDyQFnw5m3bHY0Wav=ABvi9ORVA@mail.gmail.com>
From: Joseph Bonneau <jbonneau@gmail.com>
Date: Thu, 19 Feb 2015 10:00:47 -0800
Message-ID: <CAOe4UikDvdbcN-mekL25hdWEp22tUMYpsMFw-Wp3sW6O5TBrEg@mail.gmail.com>
To: noloader@gmail.com
Content-Type: multipart/alternative; boundary=089e013c6bc05d0bab050f74b876
Archived-At: <http://mailarchive.ietf.org/arch/msg/websec/OB3m7EHewUs_rkg7a-EfH6giO5g>
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Comments on draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2015 18:01:11 -0000

On Thu, Feb 19, 2015 at 9:43 AM, Jeffrey Walton <noloader@gmail.com>; wrote:

> Quod erat demonstratum:
>
> http://arstechnica.com/security/2015/02/lenovo-pcs-ship-with-man-in-the-middle-adware-that-breaks-https-connections/
>
> This proposal needs to be revisited. It has serious defects.


Ryan's previous post already covered the reasons for disabling pin
validation for user-defined trust anchors, which still hold even though
Superfish did their superfish thing.

If the spec did not allow this behavior, the next Superfish would probably
just configure local UAs to launch with pinning disabled completely. I
don't think their recklessness would somehow stop short of overriding the
browser's pinning policy.