Re: [websec] wrt "breaking pins" aka "un-pinning" (breakv, breakc directives; draft-evans-palmer-hsts-pinning-00)
=JeffH <Jeff.Hodges@KingsMountain.com> Mon, 17 October 2011 22:09 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3722811E8082 for <websec@ietfa.amsl.com>; Mon, 17 Oct 2011 15:09:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.947
X-Spam-Level:
X-Spam-Status: No, score=-99.947 tagged_above=-999 required=5 tests=[AWL=0.548, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lYenhLym+3qI for <websec@ietfa.amsl.com>; Mon, 17 Oct 2011 15:09:19 -0700 (PDT)
Received: from oproxy5-pub.bluehost.com (oproxy5.bluehost.com [IPv6:2605:dc00:100:2::a5]) by ietfa.amsl.com (Postfix) with SMTP id 9259B11E8073 for <websec@ietf.org>; Mon, 17 Oct 2011 15:09:19 -0700 (PDT)
Received: (qmail 23047 invoked by uid 0); 17 Oct 2011 22:09:17 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy2.bluehost.com with SMTP; 17 Oct 2011 22:09:17 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=fP6k0SLfv5EejQ5j3ZnWs69fqDuDtpv6qkNKaORZL6w=; b=5YjYmm78uCPFYphIFpCqWU5NkUbPS6OSVruwg262jW/E5YWQk8Q1G9Za8JP+koR76JsVSdMPDbVNC3d1B6EfoNdB7uhZuaQ0XIu0i1SxFRqcIkFrKK/PTHmQml/a1eX2;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.137.201]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1RFvMy-0005AD-Qg; Mon, 17 Oct 2011 16:09:16 -0600
Message-ID: <4E9CA78C.5050805@KingsMountain.com>
Date: Mon, 17 Oct 2011 15:09:16 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110921 Thunderbird/3.1.15
MIME-Version: 1.0
To: Trevor Perrin <trevp@trevp.net>, Chris Palmer <palmer@google.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] wrt "breaking pins" aka "un-pinning" (breakv, breakc directives; draft-evans-palmer-hsts-pinning-00)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2011 22:09:20 -0000
Hi Trevor & ChrisP, Trevor Perrin <trevp@trevp.net> noted: > > In defense of pin-break codes! - > > On Fri, Oct 14, 2011 at 3:05 PM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote: >> So if a purported Known Pinned Host presents a cert chain in the TLS >> handshake lacking any keys on the UA's pinned key list, then it could be a >> bogus host (eg attacker), and if the UA does a HTTP GET and sends cookies >> (as well as receives a response and examines headers (e.g. the UA could be >> redirected further afield)) in any case, then this is a (non-trivial) >> vulnerability. > > A better alternative might be to deliver pin-break codes as part of > the TLS handshake (e.g. a TLS Extension). Then: > * Pin-break codes would work regardless of how the pin-break > verifiers are set, so pin-break codes could be used with pins set via > HSTS header, browser hardcodes, Convergence, DNS, etc. > * Pin-break codes would work with non-HTTP protocols like SMTP or POP. > * Pin-break codes would be retrieved without an HTTP Request, > removing the risk noted above. > > What do you think? In general, I think we should think about conveying pinning/unpinning in the TLS channel in some fashion (which I'd noted at the very end of my original msg). And yes, the added benefit of working for other protocols layered on top of TLS, rather than just working for HTTP, would seem to be a win (for the longer term). Tho, getting TLS extensions actually implemented and deployed seems to take a few forevers. I wonder about hacking it (conveyance of pinning/unpinning info), for the nearer-term, into a cert extension. Then just modifying client apps (e.g. browsers) is what's necessary. > Pin-break codes might be preferred by site operators nervous about > boxing themselves in with pinning, since pin-break codes let the site > change its cert chain arbitrarily without being limited by backup pins > or waiting for expiration. Agreed, can see/understand that use case. Chris Palmer <palmer@google.com> followed up.. > > Note that the TLS layer could still abort the connection if the > connection doesn't pass the pinning test (i.e. if the connection was > made with a server certificate that does not contain any previously > pinned public keys). agreed. > Thus, in order to successfully use a breakc, you would still have to > serve it with a cert containing a public key you had pinned. > (Including, perhaps, your backup pin.) yes, which has me wondering, as I hope I articulated somewhat clearly, about the overall utility of the pin-break-verifier-and-code mechanism, except in the particular case where a application server operator wishes to deploy only one key/cert and pin to that, cross their fingers, and then fall back on this pin breaking mechanism if needed. >> In examining the various such situations (aka "disasters") outlined in Sec >> 3, it appears that essentially all of them are mitigated if the host >> operators allocated a backup server key/cert as advised, and have properly >> issued a pin to it, along with their pin to their present operational >> key/cert. In this situation, it appears that having the >> pin-break-verifier-and-code mechanism isn't strictly necessary. > > Chris E. and I now agree with this, and are probably going to remove > breakc and breakv from the draft specification. Even if they stay, > they probably won't appear in the first rev of the Chrome > implementation. The thinking is now, "Get the simplest thing > implemented, see how people like it, and implement breakc/v if there > is demand." sounds fine to me. > This would probably/almost certainly imply that pins expire when the > server stops mentioning them in the pins directive (or when max-age > expires, whichever is soonest). Agreed. =JeffH
- [websec] wrt "breaking pins" aka "un-pinning" (br… =JeffH
- Re: [websec] wrt "breaking pins" aka "un-pinning"… Trevor Perrin
- Re: [websec] wrt "breaking pins" aka "un-pinning"… Chris Palmer
- Re: [websec] wrt "breaking pins" aka "un-pinning"… =JeffH
- Re: [websec] wrt "breaking pins" aka "un-pinning"… Chris Palmer
- Re: [websec] wrt "breaking pins" aka "un-pinning"… Marsh Ray
- Re: [websec] wrt "breaking pins" aka "un-pinning"… Phillip Hallam-Baker