IETF Logo Mail Archive

Re: [websec] Consensus call: Issue #57 (max-max-age)

Tobias Gondrom <tobias.gondrom@gondrom.org> Tue, 04 June 2013 12:48 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FD4C21F9058 for <websec@ietfa.amsl.com>; Tue, 4 Jun 2013 05:48:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.361
X-Spam-Level:
X-Spam-Status: No, score=-95.361 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bv7ZqNY-KT-F for <websec@ietfa.amsl.com>; Tue, 4 Jun 2013 05:47:55 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id B934821F9B3D for <websec@ietf.org>; Tue, 4 Jun 2013 04:21:30 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=pMW11BKJsW1imlDMKsQzGxYL6/T4jK5TfkaWuKfOvAKNRihWfDBk/fv2ApTY6xORzeAb6xh6bbNbbDHj7DucTi/Es0b/CnpI/D9MWrQ2ABSZ5CVFBoSXmBAf17YExkJ4; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type;
Received: (qmail 10155 invoked from network); 4 Jun 2013 13:21:26 +0200
Received: from 188-222-173-238.zone13.bethere.co.uk (HELO ?192.168.1.94?) (188.222.173.238) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 4 Jun 2013 13:21:26 +0200
Message-ID: <51ADCDB5.3010505@gondrom.org>
Date: Tue, 04 Jun 2013 12:21:25 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: ynir@checkpoint.com
References: <43C5DE99-43EB-42FC-8F61-24F9A9429FD1@checkpoint.com> <CA+cU71=Q_QkHqiQ95AZgw8Bi7U_mgCi4icMypwFUp1C6i=apUA@mail.gmail.com> <518EE510.9060600@it.aoyama.ac.jp> <8450797E-818C-445C-ABD2-1B8F9AE1DBB9@checkpoint.com> <5194918A.7030300@gondrom.org> <CAGZ8ZG0SWZD9e-NP2RhQMQ-=F5JUCCytF2NYTdWH7u13hhBqqQ@mail.gmail.com> <519D3254.1040508@gondrom.org> <CAGZ8ZG15ZbjfDcu+bpetvfZxKG1ycW9t1AGuQ+A5cfpfkUAfnw@mail.gmail.com> <CAOuvq237_B1h6mBryP3UHh=auqtUhs93-_oKMSsHOjqSX977bQ@mail.gmail.com> <51A49A5C.5080002@gondrom.org> <CAOuvq20_zACXraV9iN6mUbDwML8GkSCwh9w2Cuow818YOLL-Sw@mail.gmail.com> <7AD36561-65B4-448C-A371-907B12B75AF1@checkpoint.com> <CAOuvq23a0BiO5pGDPLLvHY0bZ0JvVrFb7Aq-nGDoBQS_S8HFDw@mail.gmail.com> <584386D2-223C-4B6F-89BA-78769113D293@checkpoint.com> <CAGZ8ZG3ktYcJutAH19qW+=EP8oopq=XCTZ_td3Gyw2o2mMvzNA@mail.gmail.com> <51ADBBA3.3000105@gondrom.org> <77BFAD41-36DD-46C7-A277-D1416F7EE958@checkpoint.com>
In-Reply-To: <77BFAD41-36DD-46C7-A277-D1416F7EE958@checkpoint.com>
X-Enigmail-Version: 1.5.1
Content-Type: multipart/alternative; boundary="------------000002060802050508070301"
Cc: websec@ietf.org
Subject: Re: [websec] Consensus call: Issue #57 (max-max-age)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2013 12:48:19 -0000

Well. I am not strongly voting for it.

The point is, to have a hard limit of 30 days under the assumption of
the existence of such infrastructure would be worse, because then we
would need to rely on such infrastructure in all normal operation cases.
While with my approach we would need the infrastructure only in the
exception (of a malicious attacker abusing key pinning to block a
domain), which may or may not happen at all.

Best, Tobias


On 04/06/13 12:07, Yoav Nir wrote:
> But doesn't this introduce a lot of infrastructure?
>
> If we want to find out a hash of the public key for an HTTPS server
> using heavy infrastructure, we might as well use DANE, no?
>
> Yoav
>
> On Jun 4, 2013, at 1:04 PM, Tobias Gondrom <tobias.gondrom@gondrom.org
> <mailto:tobias.gondrom@gondrom.org>> wrote:
>
>> Hi Trevor, hi all,
>>
>> (again no hats)
>>
>> actually regarding browser lookups of pin lists:
>> I rather have the pins work unlimited and all the time even without
>> pin lists.
>>
>> But your idea might in fact be a solution to enable the unlimited pin
>> times.
>> Instead of constantly distributing the list of pins, we could
>> actually have browsers use whitelists of pins that have been
>> "revoked" and where the browser is allowed to refresh. That could
>> e.g. happen with a browser update.
>> That way we can have a unlimited time pin (and pre-caching of pins)
>> and solve the scenario of malicious domain blocking by previous
>> owners. And hopefully that scenario will hardly happen at all
>> (especially if there is a provision for solving it and the attempt is
>> futile, the motivation for an attacker trying it might be close to zero).
>>
>> Best regards, Tobias
>>
>>
>>
>>
>> On 03/06/13 07:29, Trevor Perrin wrote:
>>>
>>> Hi Yoav, all,
>>>
>>> We've talked a lot about the risks of long-lived pins.  We should
>>> also think more about the benefits.  
>>>
>>> I'll argue that pin lifetimes past a certain point don't get you
>>> much.  Browser-based "key continuity" will hopefully be supplemented
>>> by systems that scan pin assertions regularly from different points
>>> on the Internet (like Perspectives, Convergence, Vantages, etc.).
>>>  Such systems would derive pins more reliably than individual
>>> browsers, and could use several methods to distribute these pins.
>>>  Since scanning of sites can be done frequently, and distribution
>>> would also be fast, long-lived pins aren't needed for this.
>>>
>>> The hard part of this isn't scanning, it's pin distribution.  Here's
>>> three ways that could be done:
>>>
>>> Links:  Pins could be embedded in hyperlinks served over HTTPS.
>>>  Since much browsing consists of following links from the web's
>>> major "introducers" (search engines, social networks, etc.), having
>>> these sites embed pins would protect a lot of traffic.  See the
>>> recent "S-links" paper [1].
>>>
>>> Lists:  Modern browsers download lists of security info on a regular
>>> basis, including lists of malware and phishing sites [2],
>>> commonly-downloaded files [3], and revoked certs [4].  You could
>>> imagine pin lists being downloaded, so that every browser has a
>>> current list of pins for, say, 10,000 major sites.
>>>
>>> Lookups:  Browsers are reluctant to do per-connection blocking
>>> lookups (see OCSP, Convergence, and DNSSEC).  But there might be
>>> more efficient and less-problematic ways to combine pin and DNS
>>> lookups (e.g. connections to DNS resolvers via VPNs, or some simpler
>>> form of response authentication).  Also, non-blocking pin lookups
>>> could be used after-the-fact to detect attacks (if a MITM blocks the
>>> lookup for an extended period, the browser would start complaining).
>>>
>>>
>>> Anyways, 30-day pins seem adequate for any of these.  Assuming sites
>>> can be rescanned weekly, pins received through links, lists, or
>>> lookups are likely to have 20+ days of validity left in them, which
>>> is plenty of time for the browser to follow a link, or use a list
>>> without its entries expiring.
>>>
>>> This is a complicated issue, and I don't expect this email to
>>> resolve it.  But I at least hope this lessens any perception that
>>> short-lived pins would offer weak security.
>>>
>>>
>>> Trevor
>>>
>>> [1] http://research.google.com/pubs/archive/41138.pdf
>>> <http://research.google.com/pubs/archive/41138.pdf>
>>> [2] https://developers.google.com/safe-browsing/
>>> <https://developers.google.com/safe-browsing/>
>>> [3]
>>> http://windows.microsoft.com/en-us/windows7/smartscreen-filter-frequently-asked-questions-ie9
>>> [4] http://www.imperialviolet.org/2012/02/05/crlsets.html
>>>
>>>
>>>
>>> On Sat, Jun 1, 2013 at 11:41 PM, Yoav Nir <ynir@checkpoint.com
>>> <mailto:ynir@checkpoint.com>> wrote:
>>>
>>>     Hi
>>>
>>>     Just trying to get us close to consensus. Still no hats. There
>>>     are two arguments for limiting max-age:
>>>
>>>     1. With unlimited max-age, it's possible for the legitimate site
>>>     owner to by mistake damage their sites. You could pin the CA
>>>     certificate, and lock yourself in to that CA for all eternity.
>>>     You could pin a current and future EE public keys, and then when
>>>     the current public key expires, you might not use the future one
>>>     because you mistyped it (or your CA no longer accepts 1024-bit
>>>     keys). For whatever reason, a bad choice you make while trying
>>>     out HPKP either bricks your site or constrains your behavior for
>>>     a while.
>>>
>>>     2. With unlimited max-age, a current owner of a domain name can
>>>     set a pin that a future owner cannot honor. So if Mr. diaper
>>>     consultant[1] ever decides to retire, he could set a long-lived
>>>     pin such that I would not be able to use the domain even if I
>>>     buy it. A variation on this is the case where an attacker like
>>>     ComodoHacker manages to MitM a popular site, and he sets a
>>>     long-lived pin that prevents users from accessing the site not
>>>     through the MitM. This means that browser support for HPKP could
>>>     serve to amplify attacks that are plenty bad enough as they are.
>>>
>>>     Regarding #1 I'm not convinced. HPKP (much like HSTS) is already
>>>     a pretty big gun with which users can shoot themselves in the
>>>     foot. A website that's important for its owner (whether it's
>>>     social networking, political action, or business) cannot afford
>>>     to be inaccessible for any length of time. A month is no less a
>>>     disaster than a year. As for constraining your behavior, this
>>>     merits deployment advice, not limiting the usefulness of the
>>>     protocol for other sites.
>>>
>>>     #2 is more worrying. I think the previous owner issue would be
>>>     served even with a 1 year hard limit, and I don't think anyone
>>>     here is arguing that a 1-year limit is too short. But the attack
>>>     amplification is a real thing, and it works against sites that
>>>     haven't even implemented HPKP. Sites that deploy HPKP are
>>>     protected from a MitM such as ComodoHacker (or his "friends").
>>>     But having HPKP in the browser (but not in the website) allows
>>>     his friends to lock out browsers by inserting a pin. So if
>>>     browsers implement this, it amplifies attacks against the
>>>     general population of SSL-protected web sites. I'm not sure
>>>     whether in the grand scheme of things this makes the Internet
>>>     better or worse.
>>>
>>>     Note, though, that this issue exists even if max-age is limited.
>>>     Bricking the site for a month (for some users in Iran) is a bad
>>>     enough outcome, only slightly mitigated by it being only for a
>>>     month.
>>>
>>>     I started out writing this message thinking it was going to have
>>>     a proposal that we could all reach consensus about. I'm not sure
>>>     I got there. I guess if this was a vote, I would vote for a
>>>     year-long max-max-age, but I'm not really as sure about this as
>>>     I was when I started writing this message.
>>>
>>>     Yoav
>>>
>>>     [1] http://www.yoavnir.com <http://www.yoavnir.com/>
>>>     _______________________________________________
>>>     websec mailing list
>>>     websec@ietf.org <mailto:websec@ietf.org>
>>>     https://www.ietf.org/mailman/listinfo/websec
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> websec mailing list
>>> websec@ietf.org
>>> https://www.ietf.org/mailman/listinfo/websec
>>
>>
>>
>> Email secured by Check Point
>>
>

v2.23.0 | Report a Bug | By Email