Re: [websec] handling STS header field extendability

Paul Hoffman <paul.hoffman@vpnc.org> Mon, 13 August 2012 21:29 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5783A11E8087 for <websec@ietfa.amsl.com>; Mon, 13 Aug 2012 14:29:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B6uXOcJbYJdR for <websec@ietfa.amsl.com>; Mon, 13 Aug 2012 14:29:04 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id BD7B111E8072 for <websec@ietf.org>; Mon, 13 Aug 2012 14:29:04 -0700 (PDT)
Received: from sn87.proper.com (sn87.proper.com [75.101.18.87]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q7DLT3AM051862 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 13 Aug 2012 14:29:03 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: text/plain; charset=us-ascii
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <370C9BEB4DD6154FA963E2F79ADC6F2E1C2818@DEN-EXDDA-S12.corp.ebay.com>
Date: Mon, 13 Aug 2012 14:29:03 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <3811BC26-9859-4F3C-A5B3-E1EA0C7F522D@vpnc.org>
References: <5024352D.4040604@KingsMountain.com> <CAOuvq23dxoKyV2No55WEYePhVj+Fcab5cF65C1FsiqgtmEkXMA@mail.gmail.com> <CA+cU71kx4Ck2aMeSHhnpb--aZ+mRmszQdojepM4aapVn2TsR=Q@mail.gmail.com> <370C9BEB4DD6154FA963E2F79ADC6F2E1C251C@DEN-EXDDA-S12.corp.ebay.com> <CANVv-VfcVBhd7AUqsZ83dKJiDL3V=_Fd2Wmm=o7WXMiEgCAusg@mail.gmail.com> <FD1D3117-B393-417A-868F-AB954907C16C@vpnc.org> <370C9BEB4DD6154FA963E2F79ADC6F2E1C2818@DEN-EXDDA-S12.corp.ebay.com>
To: "Hill, Brad" <bhill@paypal-inc.com>
X-Mailer: Apple Mail (2.1278)
Cc: IETF WebSec WG <websec@ietf.org>, Ben Campbell <ben@nostrum.com>
Subject: Re: [websec] handling STS header field extendability
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Aug 2012 21:29:05 -0000

On Aug 13, 2012, at 2:20 PM, Hill, Brad wrote:

> I have an EV certificate for www.example.com.  On the main page, it includes the following tag:
> 
> <script src="https://scripts.example.com/myscript.js">
> 
> Mallory is presumably much more likely to be able to obtain a DV certificate for scripts.example.com than an EV cert for www.example.com.  But Mallory can still use the DV certificate to attack the EV content at www.example.com by MITMing the fetch of myscript.js, which will be transcluded into the DOM.  

If the security model is that www.example.com and scripts.example.com have the same security properties, then you are right. I don't see that in HSTS, but I could be missing something.

> Or alternately, assume that Mallory gets a DV certificate for www.example.com which is different (and has a different key pair) from my legitimate EV certificate.  Mallory can still MITM content loaded in some frame other than the one displaying the EV indicator and gain control of that content because her "www.example.com" using the DV certificate is the same origin as my "www.example.com" using the EV one.

Again: instead of "LockEV", wouldn't a much saner security policy be "LockKey"?

> So, Collin is right that perhaps I'm making the case *for* LockEV, but as my first example shows, it would have to include a full-fledged mixed-content distinction between EV and non-EV, as currently exists between HTTPS and HTTP.

...which seems like a bad idea whose only value is to sell EV certs.

> When you start to consider more modern technologies for intercommunication between multiple instances of client-side apps with things like postMessage, webRTC, etc. I wonder if you wouldn't need a full-fledged origin distinction on EV/non-EV, as we do today on protocol, to create a strong barrier, and if it is worth it and there is any appetite among browser vendors for such a thing.

Why not just use full-fledged origin non-distiction? What value does "EV" bring here?

--Paul Hoffman