IETF Logo Mail Archive

Re: [websec] Gen-art LC review of draft-ietf-websec-key-pinning-19

Chris Palmer <palmer@google.com> Tue, 05 August 2014 21:37 UTC

Return-Path: <palmer@google.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C2411B2BF0 for <websec@ietfa.amsl.com>; Tue, 5 Aug 2014 14:37:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.38
X-Spam-Level:
X-Spam-Status: No, score=-1.38 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yo1j3n3Jxz_h for <websec@ietfa.amsl.com>; Tue, 5 Aug 2014 14:37:18 -0700 (PDT)
Received: from mail-qa0-x229.google.com (mail-qa0-x229.google.com [IPv6:2607:f8b0:400d:c00::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 967CF1B2BEE for <websec@ietf.org>; Tue, 5 Aug 2014 14:37:18 -0700 (PDT)
Received: by mail-qa0-f41.google.com with SMTP id j7so1624767qaq.0 for <websec@ietf.org>; Tue, 05 Aug 2014 14:37:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=EGvPiM6x+O/ylXFtS9vqkLySGbJYSRl1PItKQjgotq0=; b=oDR2epvkiOw3W56jjUtaLV6b+U8UXSXSQyDHOkTC7tD2xyvPEDPAaYoXVDerZUlTt3 3PvgmfTVj8uKEbXEelW12/JooO5BqPUjXLj8tYwDXYUBTrwsjYNRW+YlW5vMYvmP+scl hIGc7LL3AXUZVVMe0Q8l9WtTRLTquzFM6Kbyj5ml8d14tc+Dcp7L/VpOq6vCzlln+/Jw mzqXUqATwdLESitKHcM6YuQMr8kY+JYi6tODlBcebNC4WQqtDGRmO94UWeRNwlEhnaRR 5td/9qBWUWtvg9f8X+pVCLq2VzrK7E5pq7vF/PEyJe0YiwCOSuxpvqht+U/yKxJjYbFq 1P9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=EGvPiM6x+O/ylXFtS9vqkLySGbJYSRl1PItKQjgotq0=; b=Fa1MW944WeuCT0sHVeModBTK6oZf+Wbzi533NeX+fT9yfObB8RnLTRMFXuCh0Yb9q0 fR9pXI7x2H+LfLEQHResHont8EJqrfgWshtcvFk3EoLW/UExrckjvuCD/mH82uxXK3De 1Cnn5Cq+RvpxM/9N50mVE2FsLGPASLABnwKts/9BvsmZr+vZnxhE13SoLasdPubvFuJV bsnO5HC50HnLS89aMIkGLZItjiRZNNzkk3BJy7TPXygFn9VSGgodliYPkl9nf/0R7F+x ObXU+T6ihaHVDH4s1u+xN2rDfv1Y+bAXbsndiGFW/Df8kUrZByUuH13bKc6Sb5Ft6R8P zOqA==
X-Gm-Message-State: ALoCoQkxsb07eAb2JpuQvNZQ70nnzrq0eBFjmph+9j+wDZeru1MZqlfiuK4N2m+g2WHvIEAD7wLT
MIME-Version: 1.0
X-Received: by 10.140.47.80 with SMTP id l74mr9811543qga.24.1407274636719; Tue, 05 Aug 2014 14:37:16 -0700 (PDT)
Received: by 10.229.162.3 with HTTP; Tue, 5 Aug 2014 14:37:16 -0700 (PDT)
In-Reply-To: <549E489B-181F-48FA-867E-BA7C7FB3E32D@gmail.com>
References: <53DA3F13.10007@dial.pipex.com> <A46FD7B1-0ECB-4AB9-990E-E09D4956591B@gmail.com> <549E489B-181F-48FA-867E-BA7C7FB3E32D@gmail.com>
Date: Tue, 05 Aug 2014 14:37:16 -0700
Message-ID: <CAOuvq21Py2bK_Q=Zcb2c=ht8htmX930dpvSfS-KxMuKwL7VJyg@mail.gmail.com>
From: Chris Palmer <palmer@google.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/rGqY5Bc2lqAICcZEkaAW3dUuqpQ
Cc: draft-ietf-websec-key-pinning.all@tools.ietf.org, General area reviewing team <gen-art@ietf.org>, Elwyn Davies <elwynd@dial.pipex.com>, IETF WebSec WG <websec@ietf.org>
Subject: Re: [websec] Gen-art LC review of draft-ietf-websec-key-pinning-19
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Aug 2014 21:37:21 -0000

These fixes are now available in a new version. You can see the changes at:

https://code.google.com/p/key-pinning-draft/source/list

On Mon, Aug 4, 2014 at 8:49 AM, Yoav Nir <ynir.ietf@gmail.com> wrote:
> [ with no hats on ]
>
> inline
>
> On Jul 31, 2014, at 10:27 PM, Yoav Nir <ynir.ietf@gmail.com> wrote:
>> On Jul 31, 2014, at 4:05 PM, Elwyn Davies <elwynd@dial.pipex.com> wrote:
>>
>>> I am the assigned Gen-ART reviewer for this draft. For background on
>>> Gen-ART, please see the FAQ at
>>>
>>> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
>>>
>>> Please resolve these comments along with any other Last Call comments
>>> you may receive.
>>>
>>> Document: draft-ietf-websec-key-pinning-19.txt
>>> Reviewer: Elwyn Davies
>>> Review Date: 31 July 2014
>>> IETF LC End Date: 1 August 2014
>>> IESG Telechat date: (if known) -
>>>
>>> Summary:
>>> Almost ready.  There are some minor issues some of which may be as a result of some
>>> misunderstanding on my part.  The descriptive text in the early part of s2 is missing
>>> some definitions that make it unclear until they appear later on.  This makes the early
>>> descriptions more confusing that illuminating in places.  Suggestions in the detailed
>>> comments below.
>
> [YN] I believe the missing definitions you’re talking about are Pin, Pin Validation. I think anyone who reads this specification is familiar enough with HTTP to know what request, response, UA and directive mean. If so, I suggest that these can be defined in 1-2 sentences in section 1, even if they’re better explained later on.
>
>>> One thing that is not fully clear to me and could probably be explained to help others
>>> is the start up of the pinning mechanisms for a given host domain.  AFAICS Pin validation
>>> would possibly not be carried out on a first connection to a domain when there are no
>>> preconfigured Pins.  I am not clear if this adds anything to the risk of a MITM attack or
>>> does it in any way negate the value of the whole pinning process?  I was not clear if
>>> an effective Pin validation should be carried out during the first connection when the
>>> UA receives the host's Pins for the first time and decides that it is now a Pinned Host,
>>> in that the document doesn't state that the connection is terminated if the setting up
>>> of the Pinned host fails because the certs don't validate.
>
> Key pinning is a TOFU (trust on first use) mechanism. As such, the first time a UA connects to a domain there is no validation. A MitM attacking such a first connection will not be discovered. Worse, such a MitM can inject its own PKP header into the HTTP stream, and pin the UA to its own keys. Note that in order to pin false information, the attacker would have to be able to produce an error-free connection. Without compromising a trusted CA, this should not be possible, and the best that attackers can accomplish is to use an invalid TLS certificate, leading to an interstitial warning page.
>
> This is apparent from section 2.3.1, but perhaps deserves a short paragraph in the introduction.
>
>>> Major issues:
>>> None
>>>
>>> Minor issues:
>>> s1: The term "Pin" (as a noun) is not explicitly defined. The definition doesn't appear
>>> until s2.4.
>>>
>>> s2.1.1: I'm not sure if this could be an issue.. should a maximum possible value for max_age
>>> be specified to avoid UA's being cluttered up with old Pins - this might possible be a DoS
>>> attack vehicle but I am not sure (yet) if it could be. OK.. so s2.3.3 talks about limits.
>>> A pointer to this discussion would be useful here
>>>
>>> s2.2.1: Does this response behaviour apply to all possible request types? Once a server has sent a
>>> Pin header should it send it again on all subsequent requests on the same TLS connection or is
>>> that a choice?  Given the "SHOULD" in s2.2.1, what are the circumstances in which the server should
>>> refrain from sending the Pins? [I first thought about 'Redirects' but realized that that was probably
>>> a really good time to send Pins!]
>
> This has been discussed, and because of all kinds of weird deployments, such as with multiplexed servers behind a load-balancer the only viable way was to send the PKP in every response. Some (me!) were concerned about the overhead of these large-ish headers, but we heard from people who actually run servers that a header this small is inconsequential. The draft for HTTP/2 makes this less of an issue, as repeated headers are efficiently encoded by referring back to previous header sets.
>
>>> s2.3.1/s2.4: S2.4 states that hash algorithms might be deprecated in future.  Presumably a
>>> deprecated algorithm should be treated as an unrecognized directive or some such to avoid
>>> downgrade attacks.  Probably worth being explicit about this.  Also this is potentially
>>> incompatible with the statement that 'UAs MUST recognize "sha256"' (Para 3 of s2.4).
>>> This results in a potential downgrade attack when and if SHA256 is deemed to be no longer
>>> cryptographically effective. I think this statement can be removed as presently a UA
>>> has no other option if it is to implement the specification.
>>>
>>> s2.6:
>>>>   Note that the UA MUST perform Pin Validation when setting up the TLS
>>>>   session, before beginning an HTTP conversation over the TLS channel.
>>> I suspect I am confused: If a UA is making its first connection to a host for which it doesn't
>>> have a preconfigured Pin, then it won't get the Pin(s) from the host until it has set up the
>>> TLS connection and received the response to the request at the HTTP protocol level.  In that case
>>> Pin validation will pass by default (subject to local policy perhaps) since the cache doesn't have
>>> entries for the host.  Presumably the UA should then perform Pin validation if it has passed by
>>> default during TLS setup (assuming that this is possible given the layering) or does the UA have to
>>> terminate the session and restart it so that Pin validation can be performed?  The second case may
>>> give scope for a DoS attack.  Or is it the case that Pin validation is not needed on the first
>>> connection... I don't see why this shouldn't be done but I may not understand the problem.  I think
>>> some clarification about the startup of the process is needed.
>>> Nits/editorial comments:
>>>
>>> s1, last para: s/toegether/together/, s/but is possible/but it is possible/
>>> s2.1: It would be good to expand the term OWS.
>>>
>>> s2.1, Figure 1 caption: The acronym HPKP needs expanding.
>>>
>>> s2.1, 2nd para after numbered bullets:
>>> It is not the definition of hash algorithms that is relevant, but allowing them to be
>>> used in pin-directives thus:
>>> OLD:
>>> additional algorithms may be defined in the future
>>> NEW:
>>> additional algorithms may be allowed for use in this context in future
>>>
>>> Also the implication of the "sha256" name should be explained precisely -
>>> i.e, that the SHA256 hash algorithm will be used, and a suitable reference
>>> for SHA256 should be given. (Again this doesn't happen until s2.4).
>>>
>>> And finally the "Fingerprint" of what SPKI? Defining Pin formally as noted above would help!
>>>
>>> s2.1, last para: s/hahs/hash/
>>>
>>> s4.2/Figure 8: The first line of text is too wide.
>>>
>>> s5, para 1: Is it really "HSTS or HPKP"?  I thought it would be "HSTS combined with HPKP".
>>>
>>> s6: Needs to be more precise about *which* message headers repository is to be updated! Presumably
>>> the permanent one at http://www.iana.org/assignments/message-headers/message-headers.xml#perm-headers.
>>>
>>> Also there may be some of the questions in s8.3.1 of RFC 7231 that need specific answers.
>>>
>>> s5, 2nd top level bullet: Expand SNI acronym.
>>>
>>
>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec

v2.23.0 | Report a Bug | By Email