IETF Logo Mail Archive

Re: [websec] Certificate Pinning via HSTS

Tom Ritter <tom@ritter.vg> Tue, 13 September 2011 12:08 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66DA621F8A4B for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 05:08:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.976
X-Spam-Level:
X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iiAl6FdbSNu1 for <websec@ietfa.amsl.com>; Tue, 13 Sep 2011 05:08:54 -0700 (PDT)
Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54]) by ietfa.amsl.com (Postfix) with ESMTP id 033AB21F8A4E for <websec@ietf.org>; Tue, 13 Sep 2011 05:08:53 -0700 (PDT)
Received: by gwj18 with SMTP id 18so555225gwj.27 for <websec@ietf.org>; Tue, 13 Sep 2011 05:10:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=wYvpUhBYW7vKDcOe5uqtkAakc8fphTLK00gOJx/k5X8=; b=TcBTpIvp+Nk5K62TivVLOsP72raWBgixpkyy34E5oGmfAQwCz1dfzm7LZE5jw7TeW+ 7t/3PRMZiLoV5fDWxjliPMl3LTd9uIDpsp25S7AwTvs7ytshdbWv1ogciuTRF3VMA031 gR4a/AVnM6V0SON/inkiD8reelvzyAYN5g00I=
Received: by 10.68.59.170 with SMTP id a10mr1399707pbr.345.1315915859143; Tue, 13 Sep 2011 05:10:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.48.13 with HTTP; Tue, 13 Sep 2011 05:10:39 -0700 (PDT)
In-Reply-To: <CAOuvq22p2qNnXRsK=PS=mxknnq4MrCWt0Np-N8su-iHXaWHqpg@mail.gmail.com>
References: <CAOuvq22p2qNnXRsK=PS=mxknnq4MrCWt0Np-N8su-iHXaWHqpg@mail.gmail.com>
From: Tom Ritter <tom@ritter.vg>
Date: Tue, 13 Sep 2011 08:10:39 -0400
Message-ID: <CA+cU71=7tM9tS6bAddiLDtOBTX_DH3cebEd5dM=1DSMKXUMdjw@mail.gmail.com>
To: Chris Palmer <palmer@google.com>, websec@ietf.org, Chris Evans <cevans@google.com>
Content-Type: multipart/alternative; boundary="bcaec531474b56ac8404acd18970"
Subject: Re: [websec] Certificate Pinning via HSTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2011 12:08:58 -0000

I echo Marsh's question.  Does a x509 Key Fingerprint include
basicConstraints?  I couldn't imagine a scenario where an attacker could get
his own cert signed by a leaf cert of a website - but I also couldn't
imagine New York getting hit by an earthquake ;)

Other observations:

I find the Revocation section very confusingly written.

> "In the event of a mismatch, clients must check whatever revocation
mechanism is available and attempt to discover whether the certificate with
the mismatching fingerprint has been revoked."

What is the definition of mismatch?  I interpreted it as no cert in the
chain contains a fingerprint which matches one of the fingerprints in the
pin list (supplied via prior pinned directive, or preloaded list).
Therefore all certificates in the chain supplied by the site are
mismatching.  But seeing if they are revoked is useless, I want to check the
pinned list to see if any in the pin list is revoked, so I can reevaluate
the pinned list and possibly downgrade the site to 'Known HSTS Host'.  But
the pin list only contains fingerprints - how do I check if a cert is
revoked by fingerprint?


The "Interactions With Built-in HSTS Lists" section is does not cover UA
updates.  Should a UA update with new pin information overwrite pin
information previously validly supplied by a site?


Finally, I'm of the opinion that all SSL Certificate information should be
exposed as javascript properties by browser.  That's a bit out of scope, so
I'll dial it back and say while we're working on HSTS, HSTS information
should be exposed as a read-only javascript property.  It doesn't need to be
structured, the entire contents of the header is sufficient, similar to
document.cookie.  This would allow at least two more (optional) defensive
practices:

1) Plugin/Extension/Greasemonkey authors could produce something like
HTTPSEverywhere or NoScript that could preload pins in a method similar to
preloaded pins in a UA.  If a site sent a pin list that didn't match the
preloaded pin list, the extension could show a warning, error, or some
alert.  Although similar to preloaded pins, this would not require a UA to
do work, nor would it require a UA to supply a user interface to bulk-load
pins.

2) Site authors could include checks in javascript to check their pinned
list.  While this *is* an arms race, and any javascript that is already
being middled by an attacker *could* be rewritten - in practice, javascript
can be sufficently obfuscated to raise the barrier to exploitation (see
gmail's javascript for example).

-tom

v2.23.0 | Report a Bug | By Email