IETF Logo Mail Archive

Re: [websec] Consensus call: Issue #57 (max-max-age)

Trevor Perrin <trevp@trevp.net> Mon, 03 June 2013 06:29 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15F1121F88FB for <websec@ietfa.amsl.com>; Sun, 2 Jun 2013 23:29:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.48
X-Spam-Level:
X-Spam-Status: No, score=0.48 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_PBL=0.905, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B-nS0KMNWMvl for <websec@ietfa.amsl.com>; Sun, 2 Jun 2013 23:29:23 -0700 (PDT)
Received: from mail-wg0-x229.google.com (mail-wg0-x229.google.com [IPv6:2a00:1450:400c:c00::229]) by ietfa.amsl.com (Postfix) with ESMTP id A9D1821F89EB for <websec@ietf.org>; Sun, 2 Jun 2013 23:29:22 -0700 (PDT)
Received: by mail-wg0-f41.google.com with SMTP id k13so2338860wgh.0 for <websec@ietf.org>; Sun, 02 Jun 2013 23:29:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=XxRqaBfibIovcNkOlKAr5SKKzHcsgHX3cy9PX4+A9qE=; b=AHoSv7cFUkrN9qivY380/qvhz/chooHy7rfafdcAzDwDnIHvMX5DtDR9Rq6IvyOqti UKTIUkjFy8ghY9WijMBmZeqMMt1Y0PeEYuPN1vgWOUZQbDJBzoMlvSDNjNCwWLxCUngC WWUAwmK2LI1OGXqN5vuPWLMgE9vmhHRPqogUMVTx3zcVjE4Nl6jb+34+n+fxOJp5ltOI a9dKIapXFQZRJ7JkkyeEexkfD80/JZ2XvYXVdV07FcgQBwYN68LE3kVsBSGp8wFof9en k0oNmYmNYBCmkHyEPHzibpKA9XD2A2Nf1gTECwf10pEYRRXc9otwntjyX+9+Za6fum0b jS8g==
MIME-Version: 1.0
X-Received: by 10.194.59.72 with SMTP id x8mr17400413wjq.49.1370240961460; Sun, 02 Jun 2013 23:29:21 -0700 (PDT)
Received: by 10.217.110.129 with HTTP; Sun, 2 Jun 2013 23:29:21 -0700 (PDT)
X-Originating-IP: [166.147.108.64]
In-Reply-To: <584386D2-223C-4B6F-89BA-78769113D293@checkpoint.com>
References: <43C5DE99-43EB-42FC-8F61-24F9A9429FD1@checkpoint.com> <CA+cU71=Q_QkHqiQ95AZgw8Bi7U_mgCi4icMypwFUp1C6i=apUA@mail.gmail.com> <518EE510.9060600@it.aoyama.ac.jp> <8450797E-818C-445C-ABD2-1B8F9AE1DBB9@checkpoint.com> <5194918A.7030300@gondrom.org> <CAGZ8ZG0SWZD9e-NP2RhQMQ-=F5JUCCytF2NYTdWH7u13hhBqqQ@mail.gmail.com> <519D3254.1040508@gondrom.org> <CAGZ8ZG15ZbjfDcu+bpetvfZxKG1ycW9t1AGuQ+A5cfpfkUAfnw@mail.gmail.com> <CAOuvq237_B1h6mBryP3UHh=auqtUhs93-_oKMSsHOjqSX977bQ@mail.gmail.com> <51A49A5C.5080002@gondrom.org> <CAOuvq20_zACXraV9iN6mUbDwML8GkSCwh9w2Cuow818YOLL-Sw@mail.gmail.com> <7AD36561-65B4-448C-A371-907B12B75AF1@checkpoint.com> <CAOuvq23a0BiO5pGDPLLvHY0bZ0JvVrFb7Aq-nGDoBQS_S8HFDw@mail.gmail.com> <584386D2-223C-4B6F-89BA-78769113D293@checkpoint.com>
Date: Sun, 02 Jun 2013 23:29:21 -0700
Message-ID: <CAGZ8ZG3ktYcJutAH19qW+=EP8oopq=XCTZ_td3Gyw2o2mMvzNA@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: multipart/alternative; boundary="047d7ba97308c3cd1d04de3a1510"
X-Gm-Message-State: ALoCoQkyB4snm+BixRJnefEtKKqH5qGcqKbs17iZ8GbmAAOrdXjMMHqSVZTj7tHVOwn88CvEHN57
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Consensus call: Issue #57 (max-max-age)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jun 2013 06:29:27 -0000

Hi Yoav, all,

We've talked a lot about the risks of long-lived pins.  We should also
think more about the benefits.

I'll argue that pin lifetimes past a certain point don't get you much.
 Browser-based "key continuity" will hopefully be supplemented by systems
that scan pin assertions regularly from different points on the Internet
(like Perspectives, Convergence, Vantages, etc.).  Such systems would
derive pins more reliably than individual browsers, and could use several
methods to distribute these pins.  Since scanning of sites can be done
frequently, and distribution would also be fast, long-lived pins aren't
needed for this.

The hard part of this isn't scanning, it's pin distribution.  Here's three
ways that could be done:

Links:  Pins could be embedded in hyperlinks served over HTTPS.  Since much
browsing consists of following links from the web's major "introducers"
(search engines, social networks, etc.), having these sites embed pins
would protect a lot of traffic.  See the recent "S-links" paper [1].

Lists:  Modern browsers download lists of security info on a regular basis,
including lists of malware and phishing sites [2], commonly-downloaded
files [3], and revoked certs [4].  You could imagine pin lists being
downloaded, so that every browser has a current list of pins for, say,
10,000 major sites.

Lookups:  Browsers are reluctant to do per-connection blocking lookups (see
OCSP, Convergence, and DNSSEC).  But there might be more efficient and
less-problematic ways to combine pin and DNS lookups (e.g. connections to
DNS resolvers via VPNs, or some simpler form of response authentication).
 Also, non-blocking pin lookups could be used after-the-fact to detect
attacks (if a MITM blocks the lookup for an extended period, the browser
would start complaining).


Anyways, 30-day pins seem adequate for any of these.  Assuming sites can be
rescanned weekly, pins received through links, lists, or lookups are likely
to have 20+ days of validity left in them, which is plenty of time for the
browser to follow a link, or use a list without its entries expiring.

This is a complicated issue, and I don't expect this email to resolve it.
 But I at least hope this lessens any perception that short-lived pins
would offer weak security.


Trevor

[1] http://research.google.com/pubs/archive/41138.pdf
[2] https://developers.google.com/safe-browsing/
[3]
http://windows.microsoft.com/en-us/windows7/smartscreen-filter-frequently-asked-questions-ie9
[4] http://www.imperialviolet.org/2012/02/05/crlsets.html



On Sat, Jun 1, 2013 at 11:41 PM, Yoav Nir <ynir@checkpoint.com> wrote:

> Hi
>
> Just trying to get us close to consensus. Still no hats. There are two
> arguments for limiting max-age:
>
> 1. With unlimited max-age, it's possible for the legitimate site owner to
> by mistake damage their sites. You could pin the CA certificate, and lock
> yourself in to that CA for all eternity. You could pin a current and future
> EE public keys, and then when the current public key expires, you might not
> use the future one because you mistyped it (or your CA no longer accepts
> 1024-bit keys). For whatever reason, a bad choice you make while trying out
> HPKP either bricks your site or constrains your behavior for a while.
>
> 2. With unlimited max-age, a current owner of a domain name can set a pin
> that a future owner cannot honor. So if Mr. diaper consultant[1] ever
> decides to retire, he could set a long-lived pin such that I would not be
> able to use the domain even if I buy it. A variation on this is the case
> where an attacker like ComodoHacker manages to MitM a popular site, and he
> sets a long-lived pin that prevents users from accessing the site not
> through the MitM. This means that browser support for HPKP could serve to
> amplify attacks that are plenty bad enough as they are.
>
> Regarding #1 I'm not convinced. HPKP (much like HSTS) is already a pretty
> big gun with which users can shoot themselves in the foot. A website that's
> important for its owner (whether it's social networking, political action,
> or business) cannot afford to be inaccessible for any length of time. A
> month is no less a disaster than a year. As for constraining your behavior,
> this merits deployment advice, not limiting the usefulness of the protocol
> for other sites.
>
> #2 is more worrying. I think the previous owner issue would be served even
> with a 1 year hard limit, and I don't think anyone here is arguing that a
> 1-year limit is too short. But the attack amplification is a real thing,
> and it works against sites that haven't even implemented HPKP. Sites that
> deploy HPKP are protected from a MitM such as ComodoHacker (or his
> "friends"). But having HPKP in the browser (but not in the website) allows
> his friends to lock out browsers by inserting a pin. So if browsers
> implement this, it amplifies attacks against the general population of
> SSL-protected web sites. I'm not sure whether in the grand scheme of things
> this makes the Internet better or worse.
>
> Note, though, that this issue exists even if max-age is limited. Bricking
> the site for a month (for some users in Iran) is a bad enough outcome, only
> slightly mitigated by it being only for a month.
>
> I started out writing this message thinking it was going to have a
> proposal that we could all reach consensus about. I'm not sure I got there.
> I guess if this was a vote, I would vote for a year-long max-max-age, but
> I'm not really as sure about this as I was when I started writing this
> message.
>
> Yoav
>
> [1] http://www.yoavnir.com
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec
>

v2.23.0 | Report a Bug | By Email