IETF Logo Mail Archive

Re: [websec] Consensus call: Issue #57 (max-max-age)

Yoav Nir <ynir@checkpoint.com> Sun, 02 June 2013 06:42 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2822021F9F99 for <websec@ietfa.amsl.com>; Sat, 1 Jun 2013 23:42:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.999
X-Spam-Level:
X-Spam-Status: No, score=-7.999 tagged_above=-999 required=5 tests=[BAYES_50=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QxiDF0F4eCcy for <websec@ietfa.amsl.com>; Sat, 1 Jun 2013 23:42:01 -0700 (PDT)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 1558121F9F90 for <websec@ietf.org>; Sat, 1 Jun 2013 23:42:00 -0700 (PDT)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r526fxeU026225 for <websec@ietf.org>; Sun, 2 Jun 2013 09:41:59 +0300
X-CheckPoint: {51AAE937-0-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.54]) by DAG-EX10.ad.checkpoint.com ([169.254.3.48]) with mapi id 14.02.0342.003; Sun, 2 Jun 2013 09:41:58 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: IETF WebSec WG <websec@ietf.org>
Thread-Topic: [websec] Consensus call: Issue #57 (max-max-age)
Thread-Index: AQHOSvJfUWwKnsbs2U6hMAgGMyNIfJkAPs4AgABLswCAAL0DAIAGBnoAgAPHdQCABoGgAIAAI4SAgAASTgCACJ5sAIAA0hIAgABR5YCAAUIOgIAFHwiA
Date: Sun, 02 Jun 2013 06:41:57 +0000
Message-ID: <584386D2-223C-4B6F-89BA-78769113D293@checkpoint.com>
References: <43C5DE99-43EB-42FC-8F61-24F9A9429FD1@checkpoint.com> <CA+cU71=Q_QkHqiQ95AZgw8Bi7U_mgCi4icMypwFUp1C6i=apUA@mail.gmail.com> <518EE510.9060600@it.aoyama.ac.jp> <8450797E-818C-445C-ABD2-1B8F9AE1DBB9@checkpoint.com> <5194918A.7030300@gondrom.org> <CAGZ8ZG0SWZD9e-NP2RhQMQ-=F5JUCCytF2NYTdWH7u13hhBqqQ@mail.gmail.com> <519D3254.1040508@gondrom.org> <CAGZ8ZG15ZbjfDcu+bpetvfZxKG1ycW9t1AGuQ+A5cfpfkUAfnw@mail.gmail.com> <CAOuvq237_B1h6mBryP3UHh=auqtUhs93-_oKMSsHOjqSX977bQ@mail.gmail.com> <51A49A5C.5080002@gondrom.org> <CAOuvq20_zACXraV9iN6mUbDwML8GkSCwh9w2Cuow818YOLL-Sw@mail.gmail.com> <7AD36561-65B4-448C-A371-907B12B75AF1@checkpoint.com> <CAOuvq23a0BiO5pGDPLLvHY0bZ0JvVrFb7Aq-nGDoBQS_S8HFDw@mail.gmail.com>
In-Reply-To: <CAOuvq23a0BiO5pGDPLLvHY0bZ0JvVrFb7Aq-nGDoBQS_S8HFDw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [91.90.139.159]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 11ef87c86b845f307e13d4a88e7361f40e0af50096
Content-Type: text/plain; charset="us-ascii"
Content-ID: <ECBDEAD8A373AF49B1BF1A80F4FA956C@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [websec] Consensus call: Issue #57 (max-max-age)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Jun 2013 06:42:07 -0000

Hi

Just trying to get us close to consensus. Still no hats. There are two arguments for limiting max-age:

1. With unlimited max-age, it's possible for the legitimate site owner to by mistake damage their sites. You could pin the CA certificate, and lock yourself in to that CA for all eternity. You could pin a current and future EE public keys, and then when the current public key expires, you might not use the future one because you mistyped it (or your CA no longer accepts 1024-bit keys). For whatever reason, a bad choice you make while trying out HPKP either bricks your site or constrains your behavior for a while.

2. With unlimited max-age, a current owner of a domain name can set a pin that a future owner cannot honor. So if Mr. diaper consultant[1] ever decides to retire, he could set a long-lived pin such that I would not be able to use the domain even if I buy it. A variation on this is the case where an attacker like ComodoHacker manages to MitM a popular site, and he sets a long-lived pin that prevents users from accessing the site not through the MitM. This means that browser support for HPKP could serve to amplify attacks that are plenty bad enough as they are.

Regarding #1 I'm not convinced. HPKP (much like HSTS) is already a pretty big gun with which users can shoot themselves in the foot. A website that's important for its owner (whether it's social networking, political action, or business) cannot afford to be inaccessible for any length of time. A month is no less a disaster than a year. As for constraining your behavior, this merits deployment advice, not limiting the usefulness of the protocol for other sites.

#2 is more worrying. I think the previous owner issue would be served even with a 1 year hard limit, and I don't think anyone here is arguing that a 1-year limit is too short. But the attack amplification is a real thing, and it works against sites that haven't even implemented HPKP. Sites that deploy HPKP are protected from a MitM such as ComodoHacker (or his "friends"). But having HPKP in the browser (but not in the website) allows his friends to lock out browsers by inserting a pin. So if browsers implement this, it amplifies attacks against the general population of SSL-protected web sites. I'm not sure whether in the grand scheme of things this makes the Internet better or worse.

Note, though, that this issue exists even if max-age is limited. Bricking the site for a month (for some users in Iran) is a bad enough outcome, only slightly mitigated by it being only for a month.

I started out writing this message thinking it was going to have a proposal that we could all reach consensus about. I'm not sure I got there. I guess if this was a vote, I would vote for a year-long max-max-age, but I'm not really as sure about this as I was when I started writing this message.

Yoav

[1] http://www.yoavnir.com

v2.29.0 | Report a Bug | By Email | System Status