Re: [websec] handling STS header field extendability

Chris Palmer <palmer@google.com> Mon, 13 August 2012 21:22 UTC

Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9053B21F8650 for <websec@ietfa.amsl.com>; Mon, 13 Aug 2012 14:22:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QIk94oPRyhVc for <websec@ietfa.amsl.com>; Mon, 13 Aug 2012 14:22:32 -0700 (PDT)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by ietfa.amsl.com (Postfix) with ESMTP id C769521F8627 for <websec@ietf.org>; Mon, 13 Aug 2012 14:22:31 -0700 (PDT)
Received: by lbbgg6 with SMTP id gg6so2404300lbb.31 for <websec@ietf.org>; Mon, 13 Aug 2012 14:22:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=V6adZXw7ytlxXXArWmeKM/+4aXR9p+433dopEcv8iss=; b=Pu2DgPynyEPrpudOgRhhCqJcAhUuIuaCi/HY6wEAOsXR6H1CJJxb/F+NzeqwXGnO6n 2YDgdPpndal69Zw3yAg101KP0ScdWqXB/TNGW7TNpVj9puur9wIxCLkuQ1yaml0Nj738 /JoOfJc/nTqrSYhqmIakzz+vc4W2+Ebu9ZZCXbDRwzE+SCM/Q9XBhH6YUafCvp7zVvZT bSufeyDr0hd3EI7GUwgwx5ypQ5UC76IRnJsD4uCtrSNcmDssUYfokuqqEchtwjr+d1i+ njYdmXENW0t9+9/aHSx1CdhCAlguJHalwuBzitrqvNoDY5tVZfJjsoXqLvZAtqp2MXPR T5iw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record :x-gm-message-state; bh=V6adZXw7ytlxXXArWmeKM/+4aXR9p+433dopEcv8iss=; b=h1X2cOLMBDb8Rh00EX5aoZr45eW8AGIaZX8yUCcMI6stLOQTbSbB4R6b4jVXWN7/+3 3ijUSozVGmrZz/5eSpW61qTP+ME84O5JsPdS35d0Ni0JKcwSZXmR4gqvNa1KMf/bWpJ1 zHAwfmTUmg1TVLw8dmXM/Rn4q/o532+BM+GS5KEjBuXiCo0Cpe1vfY38uZ6oP5bZs3gA 6J9b5NziH9n7gwk1NNuTq9QcQLCMLORGhxx7PHIcDPNlzekvPLNI2OTv2ycO2r83E9xH RAjGcz3IaYvcK9c+mqf2//dSI7vIBEUtJUHJOdQIEIDiAP+OoakUTlFtGzo1LB/E0DoZ /Azw==
Received: by 10.152.111.71 with SMTP id ig7mr13294940lab.28.1344892950808; Mon, 13 Aug 2012 14:22:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.152.111.71 with SMTP id ig7mr13294923lab.28.1344892950695; Mon, 13 Aug 2012 14:22:30 -0700 (PDT)
Received: by 10.112.77.4 with HTTP; Mon, 13 Aug 2012 14:22:30 -0700 (PDT)
In-Reply-To: <CANVv-VfcVBhd7AUqsZ83dKJiDL3V=_Fd2Wmm=o7WXMiEgCAusg@mail.gmail.com>
References: <5024352D.4040604@KingsMountain.com> <CAOuvq23dxoKyV2No55WEYePhVj+Fcab5cF65C1FsiqgtmEkXMA@mail.gmail.com> <CA+cU71kx4Ck2aMeSHhnpb--aZ+mRmszQdojepM4aapVn2TsR=Q@mail.gmail.com> <370C9BEB4DD6154FA963E2F79ADC6F2E1C251C@DEN-EXDDA-S12.corp.ebay.com> <CANVv-VfcVBhd7AUqsZ83dKJiDL3V=_Fd2Wmm=o7WXMiEgCAusg@mail.gmail.com>
Date: Mon, 13 Aug 2012 14:22:30 -0700
Message-ID: <CAOuvq20sW5zsR5bSTpNFenmttE2Oj9YCYJHmaKRxUxmpf9w-WQ@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Collin Jackson <collin.jackson@sv.cmu.edu>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQluO7yvaYU/rhTRq0MzhdQ1kgmXM9IjnRkc886v9ulUXIFehVfH1MVmQFLm6H9as4EbK1GKTDReCb8n6Tf+UioIHrPh1xeaF2MEcWTkfDqc58G0nM33VO2TOr/f8XsP4O0th3bdKVvDHWfgzPBacnWJrkqlljTXOoRJgPyb8/DHSF8aQGaCOiFk08R9fvDxTbNXOzDW
Cc: Ben Campbell <ben@nostrum.com>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] handling STS header field extendability
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Aug 2012 21:22:32 -0000

On Mon, Aug 13, 2012 at 12:21 PM, Collin Jackson
<collin.jackson@sv.cmu.edu> wrote:

> Quite the opposite, you just made the argument in favor of LockEV. If
> LockEV is being used, the MITM attack with a DV certificate would no
> longer be possible, because the DV certificate would not be accepted
> by the browser.

Not to intentionally pick on PayPal — sorry, Brad :) — but the attack
works because of explicit cross-origin script inclusion. The first
demo of this attack I saw was by Sotirov and Zusman at CanSecWest some
years ago. In the attack demo, EV paypal.com includes (included)
script from non-EV paypalobjects.com. If you distinguish EV paypal.com
and non-EV paypal.com as distinct origins, it doesn't help anything if
either origin explicitly includes script from any other origin (of any
security level).

Now, maybe you mean that we would treat EV and non-EV HTTPS mixed
scripting content as a new kind of mixed scripting problem, and then
have a rule of blocking mixed EV/non-EV scripting by default. We
recently changed Chrome to block mixed HTTP/HTTPS mixed scripting by
default, and that was "exciting" enough. Maybe someday we can block or
warn about mixed EV/non-EV content, but not in the next release,
probably...