Re: [websec] Fwd: New Version Notification for draft-ietf-websec-key-pinning-03.txt

Chris Palmer <palmer@google.com> Fri, 19 October 2012 01:15 UTC

Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71E1121F852C for <websec@ietfa.amsl.com>; Thu, 18 Oct 2012 18:15:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E1SC-hNXPI2l for <websec@ietfa.amsl.com>; Thu, 18 Oct 2012 18:15:36 -0700 (PDT)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) by ietfa.amsl.com (Postfix) with ESMTP id 2FC3421F84FE for <websec@ietf.org>; Thu, 18 Oct 2012 18:15:35 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id k13so20547lbo.31 for <websec@ietf.org>; Thu, 18 Oct 2012 18:15:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-system-of-record; bh=e7RheKouxK3UaRxz2OOeJtvfp0CHz35/HBdRAEGkZxI=; b=kxEI8TGzcCJ4lc0rwPJCVJcMjgoZMRzFnBO4o0NHvLrqpwLdLxxYlZfHjcXmiKKde8 /vgRG6rusOybyedFG6jvHNpeS5wqIKA2D5cg1vzU2qnhdCGv1K5MD8ke+gn69bNVjgUZ fqu7/vRf3SqepdNnJZz7FQqpIN6Yq8yL3TqV0wJvfG7zPIutC+LXjyyoYzgyKk1a2fvB egOnr9Pm7MGd6U4mVyu1cafVc3Kts1z6IJsvKkR+06Mo10BXtRLfQBbiIjY5oQj0S7dV bwBBg3R6gRbBm49GpUS5dw12SUe7oP+cr9WIH15Pd4kw1PeJAwjMFDXy3b+9VkblImqC Iv5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-system-of-record:x-gm-message-state; bh=e7RheKouxK3UaRxz2OOeJtvfp0CHz35/HBdRAEGkZxI=; b=IX2enKOnNsSMKVNmxSxDGQS9UMQvaIqZV8hsDUfDyK1g3bVsO3kjOU4AlKL3AwFqtg ONMHfa0MAAI2yuxLRGL0LFhMaZellz6+5TBEfqUqlTUG2L6uY5eAhjiCjoJTLTLnss+B 5ZRcXT0S/sC0JntOFVlxjYhUs9G+H2HHzud/jcgGTh+GFy76pird/1ggWaOzGjYIj4+6 yDisBhMjKnepMzftNCbD+aXNtU+js2O7Up1bCVkP8Fs+rWJQEMNWBBoHf0yXP8ZPWOM4 2v6QZvKBm5h1fqw2Ndz1SZmbyo/XR1fxNw0syT7lBmyw1BJMnQ7FVUcuEftDIB2typqF koXg==
MIME-Version: 1.0
Received: by 10.152.122.11 with SMTP id lo11mr20158193lab.3.1350609334683; Thu, 18 Oct 2012 18:15:34 -0700 (PDT)
Received: by 10.112.39.226 with HTTP; Thu, 18 Oct 2012 18:15:34 -0700 (PDT)
In-Reply-To: <CA+cU71kDB19HTgJ0AiH42ErLuRLGJDavqm3boV-Hifyjjy4TgQ@mail.gmail.com>
References: <20121016183544.18082.34326.idtracker@ietfa.amsl.com> <CAOuvq219yJ1P1STBM-AkP7aLNP1W_U8WYp2v-8x1kzXuS_VT6A@mail.gmail.com> <7F0FC8A6-D30D-4AAD-A420-0796F9703184@checkpoint.com> <CA+cU71kDB19HTgJ0AiH42ErLuRLGJDavqm3boV-Hifyjjy4TgQ@mail.gmail.com>
Date: Thu, 18 Oct 2012 18:15:34 -0700
Message-ID: <CAOuvq21JyyRYoDnn7BFE+v=+DxKfGOmr-rE+FO67-fVwJXQJ=Q@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Tom Ritter <tom@ritter.vg>
Content-Type: text/plain; charset=UTF-8
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQn/xs46gxdnyaOLk8wIfIacja0d55IViNT52Y2Zd2Gv/qXzDBGFye+l0XtCcAtkSaGEoQz1TFBgE+LxHwx5XGgTdAkdYtxA6OHDT3rcOkQS8bqIflU7VEMqZGIi4Jo3jEsOrm1nc5JcpSxbcpMNWxNA37ziSfYlt0FZ7mmLIPyHelw603lC3QbKSi7tVeLN7eMAR35P
Cc: IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Fwd: New Version Notification for draft-ietf-websec-key-pinning-03.txt
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Oct 2012 01:15:37 -0000

On Wed, Oct 17, 2012 at 7:23 AM, Tom Ritter <tom@ritter.vg> wrote:

> Section 2.3 "Noting Pins":
>
> I wonder if it is worth moving "The UAs MUST ignore Public-Key-Pins
> response header fields received on HTTP (non-HTTPS) connections."
> outside the criteria to be unambiguous that a client should not
> "discard any previously set Pinning Metadata" if it receives the
> header over HTTP.  Or if it's reasonable enough to assume no one would
> get confused.

I think it's reasonable enough. However I did add this:

"""The UA MUST note the pins if and only if it received the
Public-Key-Pins response header field over an error-free TLS
connection. The UAs MUST ignore Public-Key-Pins response header fields
received on HTTP (non-HTTPS) connections and on HTTPS connections that
are not error-free."""

to (hopefully) resolve this:

> Similarly, I wonder if there was some situation that could result in
> an attacker-induced 'errored' TLS connection that still sent the
> header, resulting in the data being discarded...

Thoughts?

> Section 2.4: "Validating Pinned Connections":
>
>    For the purposes of Pin Validation, the UA MUST ignore
>    certificates who SPKI cannot be taken in isolation and superfluous
>    certificates in the chain that do not form part of the validating
>    chain.
>
> I know I just modified this, but the second phrase just hit me.
> Because path construction is non-standard, could a client wind up in a
> situation where the site pinned to CA_Alice, with the intended path
> CA_Alice -> CA_Bob -> Intermediate -> Leaf; but because CA_Bob was
> trusted, the ultimate validating chain was simply CA_Bob ->
> Intermediate -> Leaf?  I'm not sure what the right way to counteract
> that would be...

Yes, Ryan raised this hilarious point to me a while back, and now I
see he has responded to your question here on the list.

So, it's a strong motivating factor for a report-only mode. I've
created an issue tracker entry and a discussion thread for that.

> 2.5: "Pin Validity Times"
>
> I find the "current + current - initial" / "(b) the amount of time the
> pin has been noted" item confusing, and am not sure what it means from
> reading only the draft.  If I'm not the only one, it might be worth
> clarifying.

Yes, even after a lot of thought I am still undecided about this. I
see several possible approaches:

(a) simply have the validity time be the same as for HSTS;
(b) the same as HSTS but with a 30-day maximum;
(c) the current attempt to mirror TACK, except clarified and with examples; or
(d) something else.

Of these, I think I currently like (b) best. Thoughts?

> 2.6.  "Interactions With Preloaded Pin Lists"
>
> If closing private browsing mode or clearing saved data also clears
> preloaded pins (and I think it should),

I think you mean "clears dynamic pins"? In Chromium's Incognito, any
accrued dynamic pins will be lost when you close your last Incognito
window. (If not, that is a bug and you can assign it to
palmer@chromium.org.) Also, in Chromium, when you clear browsing
history, chrome://chrome/settings/clearBrowserData, *and you select
"from the beginning of time"* (or presumably any time that predates
when your HSTS data is from), your HSTS metadata (e.g.
~/.config/chromium/Default/TransportSecurity) is indeed wiped clean.
That was true last time I checked, on 7 May 2012. Again, if you find
otherwise, assign me a bug.

> this would cause a revert to
> the preloaded pins, which may break sites.  A workaround may be to
> disable a preloaded pin if a new pin is seen, and keep that disabled
> even after the saved data wipe/private browsing mode close.

Good point. I'll add a note to that effect and ship it in the next draft.

> To prevent using this as a backdoor into tracking,

I don't consider the implicit tracking cookie problem to be solvable.
I think EFF's Panopticlick conclusively shows that it cannot be
solved. Tracking with HSTS and HPKP metadata would be a notably noisy
and inefficient way to implicitly track people; much "better" methods
exist now and always will. See http://www.w3.org/TR/hr-time/ just as a
random example...

> the preloaded pins
> should be sanity checked for "Is this organization likely to abuse the
> feature."

I suppose we could press the Safe Browsing list into service for this
(and data and API for that are open), but it's a stretch. SB is about
malware and phishing, which is a different thing than implicit
tracking.

It could at best be a "UAs MAY choose to ignore HSTS and pinning
metadata for certain sites... a mechanism to do so is beyond the scope
of this I-D..." thing.

> Again, excited about this - thanks for the work.

Thank you for all your help!