[websec] draft-ietf-websec-strict-transport-sec and WebFinger
"Paul E. Jones" <paulej@packetizer.com> Fri, 05 October 2012 07:31 UTC
Return-Path: <paulej@packetizer.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08CD521F8581 for <websec@ietfa.amsl.com>; Fri, 5 Oct 2012 00:31:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.108
X-Spam-Level:
X-Spam-Status: No, score=-1.108 tagged_above=-999 required=5 tests=[AWL=-1.058, BAYES_40=-0.185, HTML_MESSAGE=0.001, HTTP_ESCAPED_HOST=0.134]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R2c6xtL0a3lA for <websec@ietfa.amsl.com>; Fri, 5 Oct 2012 00:31:45 -0700 (PDT)
Received: from dublin.packetizer.com (dublin.packetizer.com [75.101.130.125]) by ietfa.amsl.com (Postfix) with ESMTP id A61CE21F858E for <websec@ietf.org>; Fri, 5 Oct 2012 00:31:33 -0700 (PDT)
Received: from sydney (rrcs-98-101-148-48.midsouth.biz.rr.com [98.101.148.48]) (authenticated bits=0) by dublin.packetizer.com (8.14.5/8.14.5) with ESMTP id q957VUn6019665 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 5 Oct 2012 03:31:30 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=packetizer.com; s=dublin; t=1349422291; bh=MofxKodspEhlmpfCKdoUMpazTWhEA1a+RdZocRf91zM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version:Content-Type; b=o5nF9tdVqKHhS3Hb0p87fWEBuFJZ/Nrbij5tS4OclXKVE43w2ecKsbF4IS7utedR0 m4L/RF9QS0sq3yb40ze+FwN0wDnp9wg4MnZwSCwCa9ymstGyQTbyhlc5KAoJ07DGlA YVIxKx/Ob0nlwLzRygkXilasNEk8DM2sNLCNN5KM=
From: "Paul E. Jones" <paulej@packetizer.com>
To: websec@ietf.org
Date: Fri, 05 Oct 2012 03:31:36 -0400
Message-ID: <022401cda2cb$744a0040$5cde00c0$@packetizer.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0225_01CDA2A9.ED3971B0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: Ac2ivpBQley7TlYzQaiiDL43WnX8WA==
Content-Language: en-us
Cc: 'Gonzalo Salgueiro' <gsalguei@cisco.com>
Subject: [websec] draft-ietf-websec-strict-transport-sec and WebFinger
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Oct 2012 07:31:48 -0000
Websec Group, I was reviewing the Strict Transport Security draft and I like the idea. However, one security hole that exists is one that I believe we should work to tighten. Specifically, it is the use of a 301 as specified in Section 7.2. If a UA requests initially visits a site like www.paypal.com, it would not know if the host is an HSTS host or not. Use of 301 is not secure and the user agent could be maliciously redirected to someplace other than a site owned by PayPal, for example. A possible alternative means of determining whether a given host is an HSTS host could be via WebFinger or the current RFC 6415. In parallel to issuing a query to http://www.paypal.com, the user agent could issue a query to https://www.paypal.com/.well-known/host-meta.json. Prior to acting on a response to the HTTP request, the user agent could act on the response to the WebFinger query. A WebFinger query might be: GET /.well-known/host-meta.json HTTP/1.1 Host: www.paypal.com The WebFinger response might contain something like this: { "properties" : { " strict-transport-security":"yes" } } This response returns a single response indicating the strict transport security policy. Note that since this query was issued against an HTTS server, the above might be redundant since the Strict-Transport-Security header would have been included. Even so, this might provide a standard means of checking the policy. Alternatively, one could issue a query for the specific URL requested. Let say the original request is for http://www.example.com/user/foo. Using WebFinger, one could issue: GET /.well-known/host-meta.json?resource= http %3a%2f%2fwww.example.com%2fuser%2ffoo HTTP/1.1 This more targeted request could report on the requirement to use HTTPS via a similar means, but we could also use this to facilitate a redirection. I'm not so favorable to using WebFinger as a means of redirecting a client, but if the HTTP path and HTTPS path are different, perhaps this might provide that secure replacement for 301 on HTTP. Thus, the reply might look something like this: { "subject" : "http://www.example.com/user/foo", "properties" : { " strict-transport-security":"yes" }, "aliases" : [ "https://secure.example.com/user/foo" ] } This would indicate (again redundantly) what that strict transport security is to be used, but would also provide an alias address that could be queried. This could effectively serve where the 301 is proposed in the current draft. As yet another possible alternative to provide an alternate means of 301 redirection, we might have this reply: { "subject" : "http://www.example.com/user/foo", "links" : [ { "rel" : "strict-transport-security", "href" : "https://secure.example.com/user/foo" } ] } What the above reply does is remove the "strict transport security" property, thus removing the redundancy in the previous examples. In its place, we have a single link relation called "strict-transport-security" that contains the URL to substitute for the "subject" URL. I know it's a bit late to bring this up, but I thought it is worth asking. I apologize if the 301 issue has been beaten like a dead horse, but it seemed like an open security hole as I read the draft. If I'm misreading the draft there, by all means tell me, but I do think it would be good if we close that hole somehow if it does exist. Paul