Re: [websec] Ted Lemon's Discuss on draft-ietf-websec-key-pinning-19: (with DISCUSS)

Ted Lemon <> Mon, 25 August 2014 11:39 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 25A5E1A9041; Mon, 25 Aug 2014 04:39:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.568
X-Spam-Status: No, score=-2.568 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.668] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id K7BtofCKuskC; Mon, 25 Aug 2014 04:39:34 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CFDDF1A9040; Mon, 25 Aug 2014 04:39:34 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*", Issuer "Go Daddy Secure Certificate Authority - G2" (verified OK)) by (Postfix) with ESMTP id AF1371B8467; Mon, 25 Aug 2014 04:39:34 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by (Postfix) with ESMTP id 731A953E070; Mon, 25 Aug 2014 04:39:34 -0700 (PDT)
Received: from [] ( by CAS-02.WIN.NOMINUM.COM ( with Microsoft SMTP Server (TLS) id; Mon, 25 Aug 2014 04:39:34 -0700
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Ted Lemon <>
In-Reply-To: <>
Date: Mon, 25 Aug 2014 07:39:18 -0400
Content-Transfer-Encoding: quoted-printable
Message-ID: <>
References: <> <>
To: Ryan Sleevi <>
X-Mailer: Apple Mail (2.1878.6)
X-Originating-IP: []
Cc:, "<>" <>, The IESG <>,
Subject: Re: [websec] Ted Lemon's Discuss on draft-ietf-websec-key-pinning-19: (with DISCUSS)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 25 Aug 2014 11:39:36 -0000

On Aug 25, 2014, at 1:52 AM, Ryan Sleevi <> wrote:
> The hostile attacker (the government) blocks DNSSEC, which now the UA takes as a signal to drop the pin. In doing so, they now connect to the BAD site with the BAD certificates, and note HOSTILE pins.

If I'd suggested that this be how DNSSEC is used, that would definitely be a problem.   What I actually suggested though was that DNSSEC be checked to see if a conflicting key can be securely shown to exist.

> Or consider the operational risks of DNSSEC, which lacks formalized key strengths or management lifecycles, and which, as evidence repeatedly shows for DNS, can be transferred through court order. In this case, if a DNSSEC TLSA record overrides the pinning, the site is again at the mercy of a single point of failure. Thus we'd need DNSSEC pinning and DNSSEC transparency.

Which we already have, in the form of trust anchors and validation chains.   Your court order attack works just as well for pinning as it does for DNSSEC, so I don't see how this is relevant.

> I don't mean for this to get into a larger debate about DNSSEC, merely provide context for why it's not discussed as a mitigation in considering hostile pins. I think I can fairly certainly say such a mitigation wouldn't get implemented. 

That may be true.   The point of suggesting DNSSEC as a mitigation strategy is that if we start to see hostile key pinning (nice term, BTW), is not that it would necessarily get implemented today, but that once hostile key pinning becomes a common attack, which I expect will happen shortly after key pinning becomes widely deployed in its vulnerable state, there will be a stronger motivation to implement some kind of strategy for detecting it.

It may be that DNSSEC isn't the right strategy, but not having any strategy at all seems like a bad idea.   Richard suggested offline that certificate transparency might work; my concern with that is that there's no way that I know of (not an expert, so maybe I just don't know) to detect that you are being prevented from doing certificate transparency, and not just unable to reach a server that does transparency.   If in fact hostile key pinning can be mitigated using certificate transparency, that would also address my discuss.

Richard also suggested tunneling DANE validation chains over HTTP to address the problem, which sounded to me like another good strategy that gets around the DNSSEC functionality problem, although it does not get around the DNSSEC deployment problem: sites that care to prevent hostile pinning would still have to deploy DNSSEC to prevent it.

It may also be that the right thing to do is just discuss the problem in the security considerations section and punt on solving it until later.   I can't really force you to address the problem now with a DISCUSS, nor would I want to.  The point of the DISCUSS is to talk about it and figure out what, if anything can be done.  It may be that there is nothing practical that can be done.   It may also be that there is something practical that can be done, but it should be done in a follow-on document.   Either answer is fine with me if it's true, but the case needs to be made.