Re: [websec] Kathleen Moriarty's Discuss on draft-ietf-websec-key-pinning-19: (with DISCUSS and COMMENT)
Barry Leiba <barryleiba@computer.org> Wed, 08 October 2014 15:55 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09AE61A0301; Wed, 8 Oct 2014 08:55:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qS4Aluc09LcT; Wed, 8 Oct 2014 08:55:29 -0700 (PDT)
Received: from mail-la0-x231.google.com (mail-la0-x231.google.com [IPv6:2a00:1450:4010:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A537F1A6F85; Wed, 8 Oct 2014 08:55:28 -0700 (PDT)
Received: by mail-la0-f49.google.com with SMTP id q1so8709279lam.22 for <multiple recipients>; Wed, 08 Oct 2014 08:55:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=ecdotodtbNhTSf9TngVOjLxR9XU/3YVhDmMRFgjkopU=; b=RfYZrEst8MDQGEaMg9dY+nfUfBgsXftTX9OejT68TKaQdnkAMjZzfSrM+1jJJXvmUG HxBe0VfJevWX9jzITq/eGNjcugFWbnB/y6Zr+xQv65W2+qEOKMpVTcDCXPKtsPkeAYXs lyXHfvYB8kClZxgvlHop2hR7tvgXPXtDv8uKTPZQsVG5ERZKo7i9HQgCh8vYUzZiaoVU A2IJZv7N1lARpNbDK99/iaU1jS1UCCpNqK5HFL/dKRikeZL8eChBB4b5lwdVRrsb+g09 dOzbThXSY9BleIvgBsLrwPYUlqaFTizK9hEvQKJzBW/jjunA/oKQ532LH2WUK3qeGNA7 OqfA==
MIME-Version: 1.0
X-Received: by 10.152.197.35 with SMTP id ir3mr12681974lac.82.1412783726279; Wed, 08 Oct 2014 08:55:26 -0700 (PDT)
Sender: barryleiba@gmail.com
Received: by 10.152.8.103 with HTTP; Wed, 8 Oct 2014 08:55:26 -0700 (PDT)
In-Reply-To: <CAHbuEH7jZg5oOR5UH7AKX6M78hKzA0gXEYmwagctgoyOYwKoaQ@mail.gmail.com>
References: <20140807031550.1175.40039.idtracker@ietfa.amsl.com> <CACvaWvYfEtHCHc8xFWg=W5AUzqNEAZjHzXn5YX8Sdzyumf-7ug@mail.gmail.com> <CAHbuEH7jZg5oOR5UH7AKX6M78hKzA0gXEYmwagctgoyOYwKoaQ@mail.gmail.com>
Date: Wed, 08 Oct 2014 11:55:26 -0400
X-Google-Sender-Auth: xDUhcsOB5lUKcZznvHfGiKRzAIY
Message-ID: <CALaySJ+7qPeoqNfaw3ggUiCezxMMC7Yao4psN+6A0x5PJ8G4Ow@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/websec/xIgzQ5-dEAJeyqqrCkPWdmcHr-0
Cc: "websec-chairs@tools.ietf.org" <websec-chairs@tools.ietf.org>, draft-ietf-websec-key-pinning@tools.ietf.org, "<websec@ietf.org>" <websec@ietf.org>, Ryan Sleevi <sleevi@google.com>, The IESG <iesg@ietf.org>
Subject: Re: [websec] Kathleen Moriarty's Discuss on draft-ietf-websec-key-pinning-19: (with DISCUSS and COMMENT)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec/>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Oct 2014 15:55:32 -0000
Hi, Kathleen. Can you retrieve context and see if version -21 resolves your issues (and restart the discussion if not)? Thanks. Barry On Mon, Aug 25, 2014 at 11:18 AM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote: > Helo Ryan, > > Thank you for your response. Please keep in mind that in most cases, I am > trying to help you clear up the language and ensure that the security and > privacy concerns are clearly understood in the draft to readers that might > include security professionals, CSIRT teams, security administration staff, > and others. I do think the draft is good and would like to help progress > it, but do think some language fixes would be beneficial. > > I read the draft again and will try to clarify the points below providing > suggested language where possible. > > > On Mon, Aug 25, 2014 at 1:44 AM, Ryan Sleevi <sleevi@google.com> wrote: >> >> >> >> >> On Wed, Aug 6, 2014 at 8:15 PM, Kathleen Moriarty >> <Kathleen.Moriarty.ietf@gmail.com> wrote: >>> >>> Kathleen Moriarty has entered the following ballot position for >>> draft-ietf-websec-key-pinning-19: Discuss >>> >>> When responding, please keep the subject line intact and reply to all >>> email addresses included in the To and CC lines. (Feel free to cut this >>> introductory paragraph, however.) >>> >>> >>> Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html >>> for more information about IESG DISCUSS and COMMENT positions. >>> >>> >>> The document, along with other ballot positions, can be found here: >>> http://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/ >>> >>> >>> >>> ---------------------------------------------------------------------- >>> DISCUSS: >>> ---------------------------------------------------------------------- >>> >>> Overall the draft is very good, thank you for writing it. I just wanted >>> to discuss some of the security/privacy considerations and see if we >>> could improve the language and make sure the set of concerns are clear. >>> >>> The privacy consideration section reads more like possible attack >>> scenarios that would fit into the security considerations. What privacy >>> related concerns result from these attacks? Having that spelled out to >>> differentiate the risks as privacy only would be helpful (if appropriate) >>> or moving this into the security consideration section *IF* it is more >>> generically applicable. If I am missing something and this is only >>> privacy related, it would be good to understand that in this discussion. >>> Adding some text on how these attacks could be used to expose privacy >>> related information would be helpful too. >> >> >> The first paragraph spells out precisely why this is listed as a privacy >> consideration: >> >> Hosts can use HSTS or HPKP as a "super-cookie", by setting distinct >> policies for a number of subdomains. For example, assume example.com >> wishes to track distinct UAs without explicitly setting a cookie, or >> if a previously-set cookie is deleted from the UA's cookie store. >> >> Neither of these attacks undermine the protections afforded by HPKP. >> Indeed, they exist precisely BECAUSE of HPKP offering a new means of web >> storage. Essentially, all storage mechanisms introduced when dealing with >> sites - whether it be cookies, new APIs like IndexedDB, exposure of >> persistent storage such as cryptographic keys, or, as in both HSTS and HPKP, >> remembering data about a previously visited site - represent new and >> potential ways to uniquely identify a user, which the two examples spell >> out. >> >>> >>> >>> For the first example, it seems it is the possibility that a report goes >>> outside out the intended scope is the concern. The mitigation seems to >>> be provided in the last sentence of #4, but couldn't this be other >>> information leakage and not just privacy? Let me know if I am missing >>> something that explains why this is privacy specific. >> >> >> I'm not sure how that was reached, as the description of the risk was >> explicitly enumerated >> >> and the ability to pin arbitrary identifiers to distinguish UAs. >> >> This is also reiterated in the #2 and #3. >> >> The same applies to the second example, which hopefully the above >> explanation is sufficient to demonstrate how the spec already highlights, in >> several means, how this is a privacy issue (distinguishing the user >> independent of cookies, aka a "super-cookie") > > > In reading the draft again, the language issue for me was with the usage of > "report" in the text. After looking at this draft again, it seems the only > report type discussed is a "pin validation failure report", in reading up on > other uses of report-uri (W3C) it seems to be tied to a header, in this case > PKP-RO response header. The term report is pretty generic on it's own and > this is where my confusion came in, since that wasn't explicitly stated > (these are tied together and it's the only report discussed). When you get > to the privacy section, it just lists the term report on it's own and not as > a specific report. There is no mention of the report type in that section, > and yes, I probably should have realized that it was tied to the response > header. I do see that is the only report discussed in the draft, but was > not well-versed in this area, so it wasn't clear to me on first read. That > may be fine for most readers, but it wouldn't hurt to state the use of the > term 'report' in this draft is specific to "pin validation failure report" > in section 2.1.3 or to mention the report type again in the privacy section. > My discuss comments above were all related to the generic term "report". > I'll let it go if you feel strongly that this is not necessary since I was > able to figure it out on a second read. >> >> >>> >>> >>> In #3 of the second example, the last sentence includes the following >>> clause: >>> and giving some UAs no >>> Valid Pinning Header for other subdomains (causing subsequent >>> requests for m.fingerprint.example.com to succeed). >>> >>> Does this mean that these subdomains are succeeding when they should >>> fail? It might just be me, but that is not clear in the text (or if they >>> are supposed to succeed). It sounds like they are not supposed to >>> succeed and this is the security issue. How is this privacy specific? >>> Again, this may just be me, but an explanation would be helpful. >> >> >> Do the above references to the existing portions of the spec make this >> clearer? > > > In this case, I'd like to see clearer language that describes the issue and > includes why it is an issue. I am okay on the privacy specific questions as > that was because of the generic use of the term "report" and I was able to > figure out that was the cause of my concerns from my first read of the > draft. Bullet #3 is a run-on sentence and both fixing that and including > implications would go a long way. Here is the current bullet: > > 3. example.com can distinguish 2^N UAs by serving Valid Pinning > Headers from an arbitrary number N distinct subdomains, giving > some UAs Valid Pinning Headers for some, but not all > subdomains (causing subsequent requests for > n.fingerprint.example.com to fail), and giving some UAs no > Valid Pinning Header for other subdomains (causing subsequent > requests for m.fingerprint.example.com to succeed). > > > Here is a suggestion, please teak the language if I didn't get this quite > right: > > > 3. example.com can distinguish 2^N UAs by serving Valid Pinning > Headers from an arbitrary number N distinct subdomains. > > Assume in this example, Valid Pinning headers are assigned > > for subdomains n.fingerprint.example.com and the includeSubDomain > > directive was intended to cover all subdomains > > m.fingerprint.example.com. Where Valid Pinning Headers were > > assigned, some were given to UAs but not for all subdomains > causing > > subsequent requests for n.fingerprint.example.com to > fail. Valid Pinning Header are > > not given to some UAs for other subdomains, causing > subsequent > > requests for m.fingerprint.example.com to succeed. >> >> >> As noted above, the attack is about identifying and tracking users through >> means other than cookies. Such attacks are also known as "super-cookies", >> which is the term explicitly used in the introduction of these attacks. >> >> As noted, the attacker is the site serving the headers itself, which is >> why it's a privacy issue. > > Thanks. >> >> >>> >>> >>> In the last sentence of the privacy considerations section, what is meant >>> by the description "forensic attacker"? I find this term confusing. Was >>> this intended to mean that techniques used in forensic analysis could be >>> used by an attacker to discern information that could be of interest? If >>> that's the case, I think it would be clearer to the reader if that were >>> stated instead. >> >> >> This was in response to Alissa Cooper's YES vote, in which a threat model >> of an attacker with physical access to the machine attempts to recover state >> of the user's browsing history, which the UA had otherwise cleared. > > > Sure, I have no problem with the point, but would like to see the commonly > used terms for this attack type to avoid confusion for the reader. The term > "forensic attacker" isn't one used in the incident response space, so if you > could replace that term with what I think is the intended meaning, "forensic > analysis techniques could be used by an attacker to discern this information > that could be of interest (or useful)", would help. We don't usually cover > attack types that require full exploit of the system or physical access, so > if this got dropped, that would be fine too. The use of such tools isn't > limited to physical access, but also is possible once the host is > compromised and such tools can be installed and used by an attacker (much > higher likelihood than a physical access attack). The current text does not > make a distinction and that is good, I don't think you should be getting too > deep here anyway. > > Propose change from: > > A forensic attacker might > find this information useful, even if the user has cleared other > parts of the UA's state. > > > To: > > Forensic analysis techniques could be used by an attacker to discern > this information and > > may find it useful, even if the user has cleared other > parts of the UA's state. > > >> >> Per Eric Lawrence's feedback, this third section will be reworked into >> it's own privacy consideration bullet, and hopefully you'll find the >> clarification suitable. >> > > Thanks for you work on this section. >>> >>> >>> >>> ---------------------------------------------------------------------- >>> COMMENT: >>> ---------------------------------------------------------------------- >>> >>> I agree with Richard's comment that the document is well written and an >>> important document, thank you for writing it. The style changed a little >>> toward the end and I had some trouble with long sentences in the security >>> & privacy considerations sections. This should be easy enough to fix and >>> may be done with the RFC editor anyway. >>> >>> To Richard's point on operational concerns versus security concerns, are >>> there explicit security attacks that could occur with the max-age >>> variations described? >>> >>> In 4.2, I can't see this being more than an operational concern since it >>> fails when overlapping pin sets are not used. Are we missing a gap that >>> leads to a security concern? >> >> >> I suppose it depends on your threat model and how you view domain >> authority. >> >> In the example given, subdomain.example.com is bypassing the pins set for >> example.com+includeSubDomains, depending on timing. That is, if example.com >> is visited first, then subdomain.example.com MUST be equal-to-or-a-subset-of >> the pins for example.com, by virtue of the known pinned host evaluation. >> >> Thus if example.com wishes to administer pins for their domain (and all >> subdomains), it's necessary for them to prevent subdomains from setting the >> header. >> >> Now, you can see this as an operational concern if you view the >> example.com and subdomain.example.com as the same administrative entity, but >> that's sometimes not the case (e.g. shared hosting sites like Amazon AWS, >> GitHub's pages, or Google AppEngine) > > > Thanks for the explanation, it would be helpful to have something along > those lines in the draft This is a non-blocking comment, so ignore if you so > choose, but here is a suggestion to clarify this as a security concern (in > addition to an operational one). Perhaps if you explicitly stated that a > denial of service could result from this configuration issue, that would > help. Also stating the concern is heightened in a service provider > environment or one where a single domain is used across administratively > distinct applications, recommending that the includeSubDomain directive > should not be used in such circumstances to avoid this issue. >> >> >> >>> >>> >>> 4.3 makes sense to me as a security concern that drives operational >>> practices. >>> >>> >> > Thanks! > > > -- > > Best regards, > Kathleen
- [websec] Kathleen Moriarty's Discuss on draft-iet… Kathleen Moriarty
- Re: [websec] Kathleen Moriarty's Discuss on draft… Ryan Sleevi
- Re: [websec] Kathleen Moriarty's Discuss on draft… Kathleen Moriarty
- Re: [websec] Kathleen Moriarty's Discuss on draft… Barry Leiba
- Re: [websec] Kathleen Moriarty's Discuss on draft… Kathleen Moriarty