[websec] HPKP Report Only Mode and Browser Extensions

Tom Ritter <tom@ritter.vg> Wed, 17 April 2013 13:43 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9966821F8480 for <websec@ietfa.amsl.com>; Wed, 17 Apr 2013 06:43:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BPqq25QBqrys for <websec@ietfa.amsl.com>; Wed, 17 Apr 2013 06:43:17 -0700 (PDT)
Received: from mail-pd0-f181.google.com (mail-pd0-f181.google.com [209.85.192.181]) by ietfa.amsl.com (Postfix) with ESMTP id 8BF1021F86CE for <websec@ietf.org>; Wed, 17 Apr 2013 06:43:17 -0700 (PDT)
Received: by mail-pd0-f181.google.com with SMTP id y10so886972pdj.12 for <websec@ietf.org>; Wed, 17 Apr 2013 06:43:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=x-received:mime-version:from:date:message-id:subject:to :content-type; bh=E+VPOf5NqvWu2U/DcHK1nCpKHnO2/6xV0BYvV4nzTbA=; b=DUIbrBS/m9fEKyE3YWByiZ/tIYA7gMlyRRDFvHu4N5xhyuXkD14k6zoANinz3zi4ZL ZrYiVvA0+nNEx2RGaoBDfelpMazZSZd58caDRrX9xkWCDt1mN9I9+W9nL+x2qMeFCjjY u+4+8zkpiKqA37Ce4PRRXcZhzGOCkL3lwC/iI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:from:date:message-id:subject:to :content-type:x-gm-message-state; bh=E+VPOf5NqvWu2U/DcHK1nCpKHnO2/6xV0BYvV4nzTbA=; b=K9AnzyK5Xru4OAehtaTUhGgnyzfTsy5pcPmmjKjwpVPfYCc2AbOe57c6FPet2BX43A E7uNcILIdRRjhI6EXV26HiKV7MGJNag8XOfZVD2OZD0hYDpA+0Nu/Ek4a5ZSAsojGlRz dknz7BqysR7ieH48Pyx9/9itWCIx0WLkdn76Ohdlmsoa7UvmW+dPF60dTdmNCji43qOS QJgkBrf95wawGf13DchRsio3DXxU/aGvS/wNKQvyA08Zl21XJl98gFI3hTMhK5bVaETl MSR25BiK0XyBosNtoin/hAVLYFK1AE3jhi8Cvo5fOEJA6qj1tAZkTDxilfIwEcH3neGc uOoQ==
X-Received: by 10.68.216.165 with SMTP id or5mr9274708pbc.152.1366206196437; Wed, 17 Apr 2013 06:43:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.88.68 with HTTP; Wed, 17 Apr 2013 06:42:56 -0700 (PDT)
From: Tom Ritter <tom@ritter.vg>
Date: Wed, 17 Apr 2013 09:42:56 -0400
Message-ID: <CA+cU71nNJgvEPLcpmvuK9-BgiktxMKrrRcw-kENZupgwGXLaBQ@mail.gmail.com>
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQknyKA6zdR3N4pK/QU75q4o9v7mV+TM3XZcpck5U3Kz4Y5DWQP6JqRlyApl0VzRQdbaFq4K
Subject: [websec] HPKP Report Only Mode and Browser Extensions
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Apr 2013 13:43:19 -0000

I hear more and more talk about HPKP being used primarily in
Report-Only mode.  I think that's fair, as website operators are very
*very* nervous about bricking themselves.  But it also takes away the
ability of users to be proactive about these (possible) violations.

How do people feel about the following addition to the "Reporting Pin
Validation Failure" section (probably under a new sub-section):

  If a UA provides extensibility points to be used
  by third party extensions or plugins, it [MAY?/SHOULD?]
  provide extensibility points relating to failures in
  both enforcement and Report Only mode.

I envision a browser extension (which is naturally an opt-in
mechanism) that flags Report Only violations so users are aware of
them, and can investigate.  I envision another one, perhaps run by the
EFF, Google, or other trustworthy organization that actually sends
these reports anonymized to a central database (besides the
report-uri) where volunteers or employees could review them for
suspicious entries.

-tom