IETF Logo Mail Archive

Re: [websec] Certificate Pinning via HSTS

Phillip Hallam-Baker <hallam@gmail.com> Wed, 14 September 2011 13:44 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21CE321F8BEC for <websec@ietfa.amsl.com>; Wed, 14 Sep 2011 06:44:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.163
X-Spam-Level:
X-Spam-Status: No, score=-3.163 tagged_above=-999 required=5 tests=[AWL=-0.165, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_34=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HzYiVMFMJpOi for <websec@ietfa.amsl.com>; Wed, 14 Sep 2011 06:43:55 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 80ACC21F8C06 for <websec@ietf.org>; Wed, 14 Sep 2011 06:43:55 -0700 (PDT)
Received: by gyd12 with SMTP id 12so1572220gyd.31 for <websec@ietf.org>; Wed, 14 Sep 2011 06:46:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Wj1nyooP+V8USvN+ou2blIDs3GFbGnu5F5JKzIBR/WE=; b=tLkDSaZT1eI6UWYbPriCMAew6t+HVBFyAD4npJc23Jq212w9hdPqXAh/clwlT/fZ7m AuFqd2OaoXTKKANsSqFMFNgoW7lvLxWeF7KmdtyULdra2GooxQHcgqxf6BguSXr5b+fa PIFfyQqhxxvoR15WihoQEsuwEV5IdrHwR6Uvg=
MIME-Version: 1.0
Received: by 10.101.11.36 with SMTP id o36mr310576ani.74.1316007964340; Wed, 14 Sep 2011 06:46:04 -0700 (PDT)
Received: by 10.100.120.20 with HTTP; Wed, 14 Sep 2011 06:46:04 -0700 (PDT)
In-Reply-To: <4E70A8F8.80102@fifthhorseman.net>
References: <CAOuvq22p2qNnXRsK=PS=mxknnq4MrCWt0Np-N8su-iHXaWHqpg@mail.gmail.com> <4E6F5056.800@fifthhorseman.net> <CAOuvq22E-OvU_53gf_go8Nf_jXX_=wbTf7rn2XEa+GAWHTU+7w@mail.gmail.com> <4E70A8F8.80102@fifthhorseman.net>
Date: Wed, 14 Sep 2011 09:46:04 -0400
Message-ID: <CAMm+Lwj4LMjivR0nHWQ4eqkTz_WVTq8w5+QWGPSOat0KgvM3HA@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: IETF WebSec WG <websec@ietf.org>
Content-Type: multipart/alternative; boundary="0016e68ef4573c72f704ace6fb0b"
Cc: Chris Evans <cevans@google.com>
Subject: Re: [websec] Certificate Pinning via HSTS
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Sep 2011 13:44:00 -0000

On Wed, Sep 14, 2011 at 9:15 AM, Daniel Kahn Gillmor
<dkg@fifthhorseman.net>wrote:

> On 09/13/2011 05:55 PM, Chris Palmer wrote:
> > On Tue, Sep 13, 2011 at 5:45 AM, Daniel Kahn Gillmor
> > <dkg@fifthhorseman.net> wrote:
> >
> >> From my perspective, i see no advantage to pinning any of the CAs -- if
> >> your EE is compromised, you're sunk.  And since the mechanism provides a
> >> mechanism (and nice instructions, thanks) for transition to an emergency
> >> offline backup EE key+cert, that is all handled well.
> >
> > In the case of normal EE certificate expiration — as opposed to
> > compromise — if you are pinned to (say) an intermediary signer, you
> > can just get a fresh certificate from the same signer, deploy it, and
> > change nothing else.
> >
> > Conversely, if you had pinned to an EE, you'd need to follow a
> > procedure something like this near expiration time:
> >
> > 0. Generate the new cert.
> > 1. Change your pins directive to include the new and the old public
> > key fingerprints.
> > 2. Wait long enough for "most, surely?" of your users to have received
> > the new pins, or for their pins to expire by the normal maxAge means.
> > 3. Decommission the old EE cert and deploy the new.
>
> Actually, if your certificate policy requires key rotation at
> certificate expiry, you can generate key N+1 at any time (preferably
> early in the life of the cert corresponding to key N), and introduce the
> secondary pin at that point, without having gotten certificate N+1 yet.
>

Yep.



> It still looks to me like pinning a CA does nothing more than give them
> the chance to hold you hostage at certificate renewal time, and to
> expose you to vulnerability should the CA itself be compromised.


It gives you scaling and administrative convenience.

If you have 10,000 hosts in your enterprise network you really do not want
to have to be managing trust on a per host level. Now consider the case
where you are renting your compute power in the cloud and so the machine
instances are existing for a few hours at a time.

Any scheme that insists on only tying to the EE cert or key is going to
create a major operational headache for those sites. It is really easy to
design a scheme that is easy to administer.

It is also going to cause huge amounts of state that the client has to
manage. If you have 10,000 front end web servers you are going to need
10,000 different client keys to do the job right.


So what most of the large enterprises would likely do if they introduced any
form of security policy would be to have a private CA run up that is an
intermediate in a larger hierarchy. This is why the bogus EFF study came up
with the absurd number of 600 CAs. What they have never come clean on is the
fact that 150 of those 'CAs' are in fact merely intermediate roots tied to a
single customer that are managed in the same infrastructure as the root CA
operations.


What pinning to a CA does raise is the absolute need to have the ability to
pin more than one CA at a time.

> Again, that's fine and one size does not fit all.
>
> Sure, one size does not fit all, but it looks like the document is
> (reasonably) trying to outline some common patterns of reasonable
> behavior to encourage best practices.  I still don't see any best
> practice that involves pinning to a CA unless that CA is itself under
> the control of your own organization.
>
> I recommend that the draft make this explicit, to avoid encouraging
> system operators binding themselves even more tightly to a CA by
> misapplication of this mechanism.
>

There is certainly a difference in the risk factor here between pinning in
the browser and CAA as currently specd (i.e. without the client enforcement
capability). [I originally wrote big, but thinking it through, maybe not so
much]

CA issue of certs is never a 100% automated process. There are some cases
where automated issue is possible but there are inevitably exceptions.

CAA does not prevent a CA issuing a cert, it merely triggers an exception.
So the CA that received the failed application is going to circle back to
the customer and ask what is up. If the CAA record was inserted maliciously
or without informed consent then the customer is going to be mighty peeved
with their old CA and likely contact slashdot with a nasty story.


If there is client enforcement of the records then there is a potential to
use them maliciously.

But even so, I can't see this being much of a practical concern. The main
value add CAs bring in practice is teaching people how to configure crypto
and install certs properly without making a mess of it. Every customer call
center I have been in the conversations you hear are salespeople walking a
customer through install for Apache or ISS.

So provided there is an escape hole from the pinning mechanism, the CAs are
going to be more than capable of talking the customer through how to untie
themselves from the attempted customer capture.

-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email