[websec] draft-ietf-websec-strict-transport-sec and WebFinger

"Paul E. Jones" <paulej@packetizer.com> Fri, 05 October 2012 07:31 UTC

Return-Path: <paulej@packetizer.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08CD521F8581 for <websec@ietfa.amsl.com>; Fri, 5 Oct 2012 00:31:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.108
X-Spam-Level:
X-Spam-Status: No, score=-1.108 tagged_above=-999 required=5 tests=[AWL=-1.058, BAYES_40=-0.185, HTML_MESSAGE=0.001, HTTP_ESCAPED_HOST=0.134]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R2c6xtL0a3lA for <websec@ietfa.amsl.com>; Fri, 5 Oct 2012 00:31:45 -0700 (PDT)
Received: from dublin.packetizer.com (dublin.packetizer.com [75.101.130.125]) by ietfa.amsl.com (Postfix) with ESMTP id A61CE21F858E for <websec@ietf.org>; Fri, 5 Oct 2012 00:31:33 -0700 (PDT)
Received: from sydney (rrcs-98-101-148-48.midsouth.biz.rr.com [98.101.148.48]) (authenticated bits=0) by dublin.packetizer.com (8.14.5/8.14.5) with ESMTP id q957VUn6019665 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 5 Oct 2012 03:31:30 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=packetizer.com; s=dublin; t=1349422291; bh=MofxKodspEhlmpfCKdoUMpazTWhEA1a+RdZocRf91zM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=o5nF9tdVqKHhS3Hb0p87fWEBuFJZ/Nrbij5tS4OclXKVE43w2ecKsbF4IS7utedR0 m4L/RF9QS0sq3yb40ze+FwN0wDnp9wg4MnZwSCwCa9ymstGyQTbyhlc5KAoJ07DGlA YVIxKx/Ob0nlwLzRygkXilasNEk8DM2sNLCNN5KM=
From: "Paul E. Jones" <paulej@packetizer.com>
To: <websec@ietf.org>
Date: Fri, 5 Oct 2012 03:31:36 -0400
Message-ID: <022401cda2cb$744a0040$5cde00c0$@packetizer.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0225_01CDA2A9.ED3971B0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac2ivpBQley7TlYzQaiiDL43WnX8WA==
Content-Language: en-us
Cc: 'Gonzalo Salgueiro' <gsalguei@cisco.com>
Subject: [websec] draft-ietf-websec-strict-transport-sec and WebFinger
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Oct 2012 07:31:48 -0000

Websec Group,

 

I was reviewing the Strict Transport Security draft and I like the idea.
However, one security hole that exists is one that I believe we should work
to tighten.  Specifically, it is the use of a 301 as specified in Section
7.2.  If a UA requests initially visits a site like www.paypal.com, it would
not know if the host is an HSTS host or not.  Use of 301 is not secure and
the user agent could be maliciously redirected to someplace other than a
site owned by PayPal, for example.

 

A possible alternative means of determining whether a given host is an HSTS
host could be via WebFinger or the current RFC 6415.  In parallel to issuing
a query to http://www.paypal.com, the user agent could issue a query to
https://www.paypal.com/.well-known/host-meta.json.  Prior to acting on a
response to the HTTP request, the user agent could act on the response to
the WebFinger query.

 

A WebFinger query might be:

 

GET /.well-known/host-meta.json HTTP/1.1

Host: www.paypal.com

 

The WebFinger response might contain something like this:

 

{

  "properties" : {

    " strict-transport-security":"yes"

  }

}

 

This response returns a single response indicating the strict transport
security policy. Note that since this query was issued against an HTTS
server, the above might be redundant since the Strict-Transport-Security
header would have been included.  Even so, this might provide a standard
means of checking the policy.

 

Alternatively, one could issue a query for the specific URL requested.  Let
say the original request is for http://www.example.com/user/foo.  Using
WebFinger, one could issue:

 

GET /.well-known/host-meta.json?resource= http
%3a%2f%2fwww.example.com%2fuser%2ffoo HTTP/1.1

 

This more targeted request could report on the requirement to use HTTPS via
a similar means, but we could also use this to facilitate a redirection.
I'm not so favorable to using WebFinger as a means of redirecting a client,
but if the HTTP path and HTTPS path are different, perhaps this might
provide that secure replacement for 301 on HTTP.  Thus, the reply might look
something like this:

 

{

  "subject" : "http://www.example.com/user/foo",

  "properties" : {

    " strict-transport-security":"yes"

  },

  "aliases" :

  [

    "https://secure.example.com/user/foo"

  ]

}

 

This would indicate (again redundantly) what that strict transport security
is to be used, but would also provide an alias address that could be
queried.  This could effectively serve where the 301 is proposed in the
current draft.

 

As yet another possible alternative to provide an alternate means of 301
redirection, we might have this reply:

 

{

  "subject" : "http://www.example.com/user/foo",

  "links" :

  [

    {

      "rel" : "strict-transport-security",

      "href" : "https://secure.example.com/user/foo"

    }

  ]

}

 

What the above reply does is remove the "strict transport security"
property, thus removing the redundancy in the previous examples.  In its
place, we have a single link relation called "strict-transport-security"
that contains the URL to substitute for the "subject" URL.

 

I know it's a bit late to bring this up, but I thought it is worth asking.
I apologize if the 301 issue has been beaten like a dead horse, but it
seemed like an open security hole as I read the draft.  If I'm misreading
the draft there, by all means tell me, but I do think it would be good if we
close that hole somehow if it does exist.

 

Paul