IETF Logo Mail Archive

Re: [websec] New draft of HTTP header-based public key pinning

"Steingruebl, Andy" <asteingruebl@paypal-inc.com> Wed, 09 November 2011 03:48 UTC

Return-Path: <asteingruebl@paypal-inc.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DDD911E80CC for <websec@ietfa.amsl.com>; Tue, 8 Nov 2011 19:48:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.117
X-Spam-Level:
X-Spam-Status: No, score=-9.117 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DNS_FROM_RFC_BOGUSMX=1.482, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PYDWVTwzZk1Z for <websec@ietfa.amsl.com>; Tue, 8 Nov 2011 19:48:19 -0800 (PST)
Received: from den-mipot-002.corp.ebay.com (den-mipot-002.corp.ebay.com [216.113.175.153]) by ietfa.amsl.com (Postfix) with ESMTP id BF64C1F0C3B for <websec@ietf.org>; Tue, 8 Nov 2011 19:48:04 -0800 (PST)
DomainKey-Signature: s=ppinc; d=paypal-inc.com; c=nofws; q=dns; h=X-EBay-Corp:X-IronPort-AV:Received:Received:From:To:CC: Date:Subject:Thread-Topic:Thread-Index:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:acceptlanguage: x-ems-proccessed:x-ems-stamp:Content-Type: Content-Transfer-Encoding:MIME-Version:X-CFilter; b=hGK4OCVOGMd/UP7RyveGtz5iQDZA9MHdMptDIHLwLBdh7RzmftdxRLho 80fxDQl81XXWjYwEelIvu8yh687ZRWYbRisE7hzhO9Y3giWM/i/Zv/0rL WsqE0T3Mh8uR2g6;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paypal-inc.com; i=asteingruebl@paypal-inc.com; q=dns/txt; s=ppinc; t=1320810485; x=1352346485; h=from:to:cc:date:subject:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=WJgePE0M2QnKfQjPkQ3Fko6K+p8ldkEIxJereYMlt5o=; b=QzvvbwdEbL5wCsr8WBLSzopQhn6poG5RDE83GIs2weIMHO7i/doViV0Y K8xWslEXBf1pRDGQKA0a046jAoXMzlfKbBKe1tzPpZXHQFffenC9U7OIF +xroCeBMVR0Ng8o;
X-EBay-Corp: Yes
X-IronPort-AV: E=Sophos;i="4.69,481,1315206000"; d="scan'208";a="4591495"
Received: from den-vtenf-001.corp.ebay.com (HELO DEN-MEXHT-003.corp.ebay.com) ([10.101.112.212]) by den-mipot-002.corp.ebay.com with ESMTP; 08 Nov 2011 19:48:04 -0800
Received: from DEN-MEXMS-001.corp.ebay.com ([192.101.150.21]) by DEN-MEXHT-003.corp.ebay.com ([10.241.17.54]) with mapi; Tue, 8 Nov 2011 20:48:03 -0700
From: "Steingruebl, Andy" <asteingruebl@paypal-inc.com>
To: Chris Palmer <palmer@google.com>, Tom Ritter <tom@ritter.vg>
Date: Tue, 08 Nov 2011 20:48:02 -0700
Thread-Topic: [websec] New draft of HTTP header-based public key pinning
Thread-Index: Acyef1nRALoKchPIQXOqvqePN/ZhyQAEofiw
Message-ID: <5EE049BA3C6538409BBE6F1760F328ABEBED718018@DEN-MEXMS-001.corp.ebay.com>
References: <CAOuvq21Ne0CWT3Dzn0sutGDBg0K+efZhxmqBZiLuxbO2OwxnFg@mail.gmail.com> <CA+cU71kFFpuooyiBTarvLT3VJigZhW0BgpQi1gMTn7zB=sFh+w@mail.gmail.com> <CAOuvq20uCZsp80yJ6gjeh-AGVswu3GTPuSYYCGyXPWpO-RJpsA@mail.gmail.com>
In-Reply-To: <CAOuvq20uCZsp80yJ6gjeh-AGVswu3GTPuSYYCGyXPWpO-RJpsA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-ems-proccessed: 10SqDH0iR7ekR7SRpKqm5A==
x-ems-stamp: M6dVQj4pCy7k87Ny+kjrPA==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter: Scanned
Cc: IETF WebSec WG <websec@ietf.org>, Chris Evans <cevans@google.com>, Ian Fette <ifette@google.com>, Wan-Teh Chang <wtc@google.com>
Subject: Re: [websec] New draft of HTTP header-based public key pinning
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2011 03:48:20 -0000

> -----Original Message-----
> From:  Chris Palmer


> >  - There is no directive or suggestion to User Agents about saving or
> > not saving pins received in a private browsing mode.  Maybe there
> > shouldn't be, but if a User-Agent does save them, the same 304/ETag
> > trick malicious sites use to track users can be created using certs
> > and subdomains.
> 
> Yes, another person raised this concern, and it is real. I don't see a way to
> resolve this problem; perhaps I am not smart enough, but I can't see a way to
> have both dynamic pinning AND avoid this tracking attack.
> 
> I am willing to add a paragraph about what browsers should do in private
> browsing mode, and I am willing to go either way on what the requirement
> should be. I don't know what is best.

We battled this problem with HSTS as well.  I think what Mozilla settled on (and I don't remember the Chrome solution) is to use a different storage mechanism when HSTS is *set* during private browsing mode, and clear on exit from private browsing.  

Clearing history/cookies on the browser is similarly problematic for HSTS and pinning.  This is unfortunate in that we'd really like it to be hard for users to clear HSTS state because it is "good for them".  Not clear whether this belongs in the spec, or a set of implementation guidelines.  Folks got squeamish here about talking about exact UA behavior, etc.

There is a Firefox bugzilla bug about this issue, I'll try to go find it and post back here unless someone beats me to it.

- Andy

v2.23.0 | Report a Bug | By Email