IETF Logo Mail Archive

Re: [websec] draft-ietf-websec-key-pinning

Ryan Sleevi <sleevi@google.com> Fri, 05 September 2014 00:06 UTC

Return-Path: <sleevi@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CD601A02E9 for <websec@ietfa.amsl.com>; Thu, 4 Sep 2014 17:06:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.046
X-Spam-Level:
X-Spam-Status: No, score=-2.046 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tRSv1qqQW4sX for <websec@ietfa.amsl.com>; Thu, 4 Sep 2014 17:06:11 -0700 (PDT)
Received: from mail-vc0-x22c.google.com (mail-vc0-x22c.google.com [IPv6:2607:f8b0:400c:c03::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 911911A02E6 for <websec@ietf.org>; Thu, 4 Sep 2014 17:06:11 -0700 (PDT)
Received: by mail-vc0-f172.google.com with SMTP id le20so196226vcb.17 for <websec@ietf.org>; Thu, 04 Sep 2014 17:06:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8MLeMgEJv6Nr9p3ZSrUzN1adTJEgU1hhcsteTUUvFvE=; b=n0JW2a+X2uZNVCYQtcTVD+6w2RbFBbiOmPvDT29FWWNM3nuwhY3GJgYQcyKtPcwjYx k+NndxruW0tTcqnDeEIFTKl5VVJA1UtlEX+qIZpbrQhmDFYOANNbdjCFgNwFLUSI7XAI Q+6MEntX8JQjrfJUqr+xiy1O+PsV6Sy38ri0uB/Wi9z9yI+qPkrh0G+RH+0Jq8IrXqic qW/kVYqSMxQLvdS4nAkl35uzvtZWehSLiH2BPWdWx/2kAb7sJqqu0h0L9EIdkRFQZq+a TKJkfDlDqS9Vv6wdbd3AU5wQDCx8sMM+qvE0cB8jbNie0v5r8hiLiAtzTOPduUZyi9Fs Imxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=8MLeMgEJv6Nr9p3ZSrUzN1adTJEgU1hhcsteTUUvFvE=; b=mYhqNKJTF6+NsqgScmjdLycdN4TgkXJQfV9zjm4GAcQMA1nKX9HKvuNwdkAqpOyl0V YJWb2edzU9i7GSqsEQdfHfdakQEIdC7UcoLfk6j3GapSINV5JrijwKd4114s6efRDBzg r3t0Dw915JmnwhaCb/c1sX2QIZM2m333kqKxFc6aa3qYApiBdfL3qW68BQuwg1qgvrhP 1ZzEM81f4XhtTzt5Dm3vlA8pRKYQXH2IlTesmM+UprJjSmyAYx0OvF7Y6f8NXMNn9JJy pPfs2BpSL7yFWapApLyPtw+WB978i9iZA+oPdsMbEY7EcmkCZ7dQwU4IUz60fjCE3K7y L3zw==
X-Gm-Message-State: ALoCoQnDekQ4CxHLHC6l0tK0zDrUA+wLq08a+Usu88CHAZ8McBBe6rGESso+xPZ61hJ1EbuJd6wf
MIME-Version: 1.0
X-Received: by 10.52.27.16 with SMTP id p16mr6257502vdg.14.1409875570444; Thu, 04 Sep 2014 17:06:10 -0700 (PDT)
Received: by 10.52.146.4 with HTTP; Thu, 4 Sep 2014 17:06:10 -0700 (PDT)
In-Reply-To: <CAGZ8ZG1ohK0CH=ss+ynjpaedEGUTA_GwuSoueh2X2YQ7J-T=4w@mail.gmail.com>
References: <CACvaWvZNpAepBmWchLMirfPdxu4ed=vH1qwMppAjw1P9S+4quw@mail.gmail.com> <BAY169-DS311951F23960F4605A0CB0AEDA0@phx.gbl> <35F981DA-46C4-44D7-8582-25BF8BF1B31A@gmail.com> <BAY169-DS421419C50B5700132829BBAEDA0@phx.gbl> <CAGZ8ZG2S5XxyAkL=vr2VbCzKA2bfGk2FxK9RYGiBtMmG7UPraA@mail.gmail.com> <CACvaWvY3-6LMECBsobpgi-Uj2iUz0PNTsqZdiHUeuw-J9Tu_KQ@mail.gmail.com> <CAGZ8ZG1ohK0CH=ss+ynjpaedEGUTA_GwuSoueh2X2YQ7J-T=4w@mail.gmail.com>
Date: Thu, 04 Sep 2014 17:06:10 -0700
Message-ID: <CACvaWvYTFEN2bm3FAENZHKFyWAx1hmzB4-NN4VB3=x1PXSLRCw@mail.gmail.com>
From: Ryan Sleevi <sleevi@google.com>
To: Trevor Perrin <trevp@trevp.net>
Content-Type: multipart/alternative; boundary="20cf307d05808de8df0502463c3f"
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/iPFq7j6BkRmJy16g_WV5NRjvN00
X-Mailman-Approved-At: Fri, 05 Sep 2014 02:20:29 -0700
Cc: draft-ietf-websec-key-pinning <draft-ietf-websec-key-pinning@tools.ietf.org>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] draft-ietf-websec-key-pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Sep 2014 00:06:14 -0000

I wish you would have raised this during WGLC, which would have benefited
from the review and discussion now being paid.

I guess echoing Yoav's earlier remarks that:

"At this stage, we can make editorial changes, but we cannot make
> significant changes on our own. We can withdraw the request to publish, and
> take it back to the working group, but I think that would be inadvisable.
> I think we should proceed, making only editorial changes, and changes
> resulting from discussion with IESG members."


that it's probably not worth discussing much further.

If the WG feels strongly about this, we can certainly withdraw from
publication. If so, I think the Chris' and myself would need to recuse
ourselves from being able to edit this document any further, so the WG
would need to find a new set of editors to proceed with this draft.

Other than that, either we accept these as ERRATA, or we accept them as
being what they are.

That is, my understanding is that this is a bit like discovering a possible
issue after you've shipped your gold master to 100K stores. Yes, it's
awful, but either it's a recall or you fix it in post. My gut is that it's
for post. However, based on Yoav's remarks, I'm not sure that there's very
much we can do editorially to address these. It appears my proposed
suggestion does not address your concerns, so I will not be added it to the
next (and hopefully final) draft.



On Thu, Sep 4, 2014 at 4:53 PM, Trevor Perrin <trevp@trevp.net> wrote:

> On Thu, Sep 4, 2014 at 4:09 PM, Ryan Sleevi <sleevi@google.com> wrote:
> >
> >
> >
> > On Thu, Sep 4, 2014 at 4:02 PM, Trevor Perrin <trevp@trevp.net> wrote:
> >>
> >> I agree with Eric and Joe that the current definition of PKP-RO is not
> >> that useful and potentially surprising to deployers.
> >>
> >> Ryan argues that storing PKP-RO is dangerous because a TLS MITM who
> >> could set pins for a lot of clients for a lot of sites could flood a
> >> victim with reports.
> >>
> >>
> >> Couldn't the MITM also set PKP pins with report-uri, or set cached
> >> redirects or other cached resources to generate traffic toward a
> >> victim?
> >
> >
> > Yes, and that's a user visible effect, rather than transparent.
>
> Hmm, there's nothing clever that can be done with cached javascript or
> html to also generate silent traffic toward a victim?
>
>
> > It also
> > requires that a connection be validated first, whereas the very
> definition
> > of PKP-RO is that you send it when a connection is not validated.
>
> I'd expect stored PKP-RO to follow the same rules as PKP and be stored
> only if it meets the bullet points in 2.5 (error-free TLS connection,
> backup pins, etc.).
>
> It would make sense for any report-uri header (PKP or PKP-RO) that
> fails the 2.5 checks, or has some other invalid syntax (eg bad
> base64), to *also* generate a different sort of report and not be
> stored.
>
> Would it be reasonable to add a reporting message for 2.5 failure or
> syntax failure?  Otherwise, when asserting a report-uri pin you can't
> distinguish pin-not-stored errors from
> pin-stored-and-validation-successful.
>
>
> >> Ryan argues PKP-RO is worse because it's "conceptually and practically
> >> silent to the user".  But once the browser has sent junk traffic to a
> >> victim, I don't really see how seeing how displaying a pinning error
> >> makes things better.
> >
> >
> > First, the attacker can only mount the hostile attack after having first
> > established a good connection.
>
> Debateable per above.
>
>
> > PKP-RO allows an attacker to perpetually
> > mount a hostile attack.
> > Second, the presence of a pinning error is an inherently rate-limiting
> > factor to the user experience. You're not going to be able to trigger 100
> > reports if you're causing the user 100 error pages.
>
> Rate-limiting is already proposed:
> """
> UAs SHOULD limit the rate at which they send reports.  For example,
>    it is unnecessary to send the same report to the same report-uri more
>    than once per distinct set of declared Pins.
> """
>
> Wouldn't that take care of it?
>
>
> > Third, it seems like you're arguing for removing report-uri altogether,
> > given the privacy and DoS risks identified. That is, the more that  you
> > establish RO is similar to PKP in level of what an attacker can do, the
> more
> > it argues for removing report-URI entirely.
>
> Dunno.  I'm still trying to understand these risks, whether they're
> really different for PKP-RO vs PKP, and for HPKP versus other web
> technologies.
>
> Trevor
>

v2.23.0 | Report a Bug | By Email