http://www.darkr= eading.com/vulnerability/https-side-channel-attack-a-tool-for-enc/240157583=

We do not have the details yet. But it seems like this will = be yet another variant of the 'in the browser' adaptive plaintext a= ttack against SSL enabling cookie stealing.

There = are two problems we need to fix:

1) Whatever the latest SSL issue is.

2) Stop using bearer tokens for authentication.

I anticipated this attack (it is the third time r= ound after all) which is why I wrote the session ID scheme as a drop in rep= lacement for cookies. In the short term sites would have to support both sc= hemes as a transitional measure but given the current transition to HTML5 i= t is entirely likely that some sites can force a transition sooner.

http://www.ietf.org/id/draft-hallambaker-http= session-01.txt

--
Website: http://hallambaker.com/

--001a1133b7da0100db04e087a941-- From tom@ritter.vg Tue Jul 2 07:00:19 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAFD621F9ECF for ; Tue, 2 Jul 2013 07:00:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.119 X-Spam-Level: X-Spam-Status: No, score=-0.119 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k0XWAODIfYHt for ; Tue, 2 Jul 2013 07:00:19 -0700 (PDT) Received: from mail-pa0-x230.google.com (mail-pa0-x230.google.com [IPv6:2607:f8b0:400e:c03::230]) by ietfa.amsl.com (Postfix) with ESMTP id EE1BB21F9EB7 for ; Tue, 2 Jul 2013 07:00:17 -0700 (PDT) Received: by mail-pa0-f48.google.com with SMTP id kp12so6291663pab.21 for ; Tue, 02 Jul 2013 07:00:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=u/vsZYsR7gmweJ5OPnRVvfp9Hn5a4BDCQk3uENuVsP4=; b=GqFvojq2ytXAfJm5zq5MuqGLdc4O/caroNBmlHnQr3XaYFAqLbIasr4xMKktvXt4Bo 5Q6Bk6Aej7YhVHY/NuxFAGqNH95EoBCd5vrhEBxdRZkPS+DAXOoXBKWVOVNY/WVD80+l 8zVk3e2czS4JWxoavDVqRNfdpgXtzIPRn70Q0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=u/vsZYsR7gmweJ5OPnRVvfp9Hn5a4BDCQk3uENuVsP4=; b=pWKKrxJZ5Fz4xg8ODfRAmyRSeioeSXZV/sJ2y4IsqVnZdrDH+HReqH9q6Y9WyB+QrI m6YV+FZdNyfXnZtH+jrXKQFYdGCgsIYDVwThJuLlC9oVAeg6VBIqHd6TGROev9u6CLRm Mvxz8e9MgtxW+dg86kEMYVohhu7qiIKWBofB7vnTzF9vwGkFm5N0wF7iD5PJxVoxP5+T doKVrS32e7kk0l6B6blvgZMlbbyIEyq8F/9vZm+Ai6rwtSoGue2QY7AHX24AqgwSA8xy zvTSlNQI9HUYRBGU0cCwLgZIR94kPquf/72qUMyUTtQDjaYqfOlCbIYWZQmhJNDUm7LF pz3A== X-Received: by 10.68.198.65 with SMTP id ja1mr29369675pbc.175.1372773616168; Tue, 02 Jul 2013 07:00:16 -0700 (PDT) MIME-Version: 1.0 Received: by 10.68.72.134 with HTTP; Tue, 2 Jul 2013 06:59:56 -0700 (PDT) In-Reply-To: References: From: Tom Ritter Date: Tue, 2 Jul 2013 09:59:56 -0400 Message-ID: To: Phillip Hallam-Baker Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQkUfoyX3ASPPYOzcA+SH7qu47MrfbeDIsOTDLBwaMTNuyZH6ikcxrNe9XhriQJreYlPTBb5 Cc: websec Subject: Re: [websec] CRIME II alleged at Black Hat X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jul 2013 14:00:20 -0000 On 2 July 2013 09:52, Phillip Hallam-Baker wrote: > http://www.darkreading.com/vulnerability/https-side-channel-attack-a-tool-for-enc/240157583 > > We do not have the details yet. But it seems like this will be yet another > variant of the 'in the browser' adaptive plaintext attack against SSL > enabling cookie stealing. Reading from what they're targeting: "could make it possible for targeted attackers to dig up secrets like session identifiers, CSRF tokens, OAuth tokens, and ViewState hidden fields " - I'm 90% certain this is an attack on HTTP compression. CSRF tokens and ViewState are in the HTTP response body. Session IDs and OAuth tokens *may* be in the body in some cases. -tom From hannes.tschofenig@gmx.net Tue Jul 2 07:38:58 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D8F821F9EE1 for ; Tue, 2 Jul 2013 07:38:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.359 X-Spam-Level: X-Spam-Status: No, score=-101.359 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_LWSHORTT=1.24, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5JOGwhie6XKO for ; Tue, 2 Jul 2013 07:38:54 -0700 (PDT) Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by ietfa.amsl.com (Postfix) with ESMTP id 4140821F9EEE for ; Tue, 2 Jul 2013 07:38:54 -0700 (PDT) Received: from mailout-de.gmx.net ([10.1.76.27]) by mrigmx.server.lan (mrigmx002) with ESMTP (Nemesis) id 0MN7F0-1Urqvl1nYW-006eX3 for ; Tue, 02 Jul 2013 16:38:53 +0200 Received: (qmail invoked by alias); 02 Jul 2013 14:38:53 -0000 Received: from 80-248-243-11.cust.suomicom.fi (EHLO [192.168.1.37]) [80.248.243.11] by mail.gmx.net (mp027) with SMTP; 02 Jul 2013 16:38:53 +0200 X-Authenticated: #29516787 X-Provags-ID: V01U2FsdGVkX1+PQtd4wI+PLjunm8Cod1jUAtF+8e5uRLlY/BQkRk 2M9yqeHURrr+oV Mime-Version: 1.0 (Apple Message framework v1085) Content-Type: text/plain; charset=us-ascii From: Hannes Tschofenig In-Reply-To: Date: Tue, 2 Jul 2013 17:38:51 +0300 Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Phillip Hallam-Baker X-Pgp-Agent: GPGMail 1.4.1 X-Mailer: Apple Mail (2.1085) X-Y-GMX-Trusted: 0 Cc: websec Subject: Re: [websec] CRIME II alleged at Black Hat X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Jul 2013 14:38:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 [I posted this mail also the CA Browser Forum list but it is read-only = for non-members only. So, I post it here.] Hi Phil,=20 I am always a bit reluctant when I hear about these types of attacks. In = many cases, they are very basic and make various assumptions. In the = OAuth working group we had looked into various attacks and many of them = turned out to be an implementation flaw: someone tried to make some = short-cuts and then had to pay the price for it. The most recent example = was Facebook earlier this year.=20 So, I am looking forward to see the details of this attack.=20 If you know the speakers maybe it is possible to get in touch with them = upfront.=20 Just saying move away from bearer tokens is certainly simplistic for a = number of reasons.=20 Ciao Hannes On Jul 2, 2013, at 4:52 PM, Phillip Hallam-Baker wrote: > = http://www.darkreading.com/vulnerability/https-side-channel-attack-a-tool-= for-enc/240157583 >=20 > We do not have the details yet. But it seems like this will be yet = another variant of the 'in the browser' adaptive plaintext attack = against SSL enabling cookie stealing. >=20 > There are two problems we need to fix: >=20 > 1) Whatever the latest SSL issue is. >=20 > 2) Stop using bearer tokens for authentication. >=20 >=20 > I anticipated this attack (it is the third time round after all) which = is why I wrote the session ID scheme as a drop in replacement for = cookies. In the short term sites would have to support both schemes as a = transitional measure but given the current transition to HTML5 it is = entirely likely that some sites can force a transition sooner. >=20 > http://www.ietf.org/id/draft-hallambaker-httpsession-01.txt >=20 >=20 > --=20 > Website: http://hallambaker.com/ > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBCgAGBQJR0uX7AAoJEGhJURNOOiAtn2kH/1EVIvEm07+TG0BHqYuRuuzz 9JsWp4CdECuH3H4Zj+B3a5wrY6XsUxxmTaceC94S82YuV0jy/8wS8vBeeIuF2PU/ FUwTFDoJ8zVdRtPNNRsbLTwc7n/Jg8Hz477wb4CXllfgcqci4ADuihJW6WkaiqNX l/4h0mqIfFOeQ3q7km5BZuZrrD/UbxM4r231tJRxhJL5QKyH8I3e63gtUlBMwW0g nONH3NdoCGoXLiQT9E6YAzCzFQBbb1+UsJbkQ+N8kW+2GtOVdf5caxX6EtuThYuW 68MGKhDbFQZk1dSwLvxzX6sgak020h7o6DJJDlBJLG/jlPlF3KESYmV6LXSaIRo=3D =3DRS6A -----END PGP SIGNATURE----- From nico@cryptonector.com Sun Jul 7 17:22:05 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCEB521F9F00 for ; Sun, 7 Jul 2013 17:22:05 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.961 X-Spam-Level: X-Spam-Status: No, score=-1.961 tagged_above=-999 required=5 tests=[AWL=0.016, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xBFRhqkUGYEu for ; Sun, 7 Jul 2013 17:22:01 -0700 (PDT) Received: from homiemail-a33.g.dreamhost.com (caiajhbdcaib.dreamhost.com [208.97.132.81]) by ietfa.amsl.com (Postfix) with ESMTP id 2087721F9CE9 for ; Sun, 7 Jul 2013 17:22:00 -0700 (PDT) Received: from homiemail-a33.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a33.g.dreamhost.com (Postfix) with ESMTP id 8B087594061 for ; Sun, 7 Jul 2013 17:21:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=DP17sGQhNKMnsXjcjiiv /xuTQWc=; b=S5aoUroVZkM6q5iyqaa+hytuHfGm27T371oi0j3igWbezcwVYvvB R60OMV4Z/LLxm9W9g2mGq989Rhmk/hal0ExKLWwpbQME+pKmfY6fHbdhDOTNYZUz cbKUdww3IzTGQ/+JKXf4oRiEgUQDMWFhr1lQmwgEj+6Ey/PxYQIPvMo= Received: from mail-we0-f169.google.com (mail-we0-f169.google.com [74.125.82.169]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a33.g.dreamhost.com (Postfix) with ESMTPSA id 1ED1F59405E for ; Sun, 7 Jul 2013 17:21:58 -0700 (PDT) Received: by mail-we0-f169.google.com with SMTP id n57so3245324wev.14 for ; Sun, 07 Jul 2013 17:21:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=la7lPS8XLmFLQrRl3MWDeiztV4/mTwfOTrrB3T1tMes=; b=VMyQD9cTboUgCtDP/J1zOwBxFunz8uyGgzBZeg2+tJ0HjiCVFDfWSpgCER5pKtq7Sw ynR+UC+2KRU97KIE2sJXgCDxroL/havNc8WepSga3qfFj4J2GdgF4BuY9Lufm/WWahBy dWqvLE4XoCz+xV+12YIufY2EZG0gEfiGhNbBFO1VBvJyjRYE73nTOAZvRNuxPsgE2muK 56Gwi/I70blRAHO+Tfwb+ZKH0Gs2im70jSm6sDIk9CtkvR6z4/S5+3BXoFAvAzR14VvA 4kFkgOxWZGwU5PEICTfwuGqV/NYrg1t0fqUXyy14WuqiBWttbmpBixc1iSOX8O6QDDG2 M3fw== MIME-Version: 1.0 X-Received: by 10.194.7.137 with SMTP id j9mr11101844wja.11.1373242917280; Sun, 07 Jul 2013 17:21:57 -0700 (PDT) Received: by 10.216.152.73 with HTTP; Sun, 7 Jul 2013 17:21:57 -0700 (PDT) In-Reply-To: <516F14E1.5040503@digitalbazaar.com> References: <516F14E1.5040503@digitalbazaar.com> Date: Sun, 7 Jul 2013 19:21:57 -0500 Message-ID: From: Nico Williams To: Manu Sporny Content-Type: text/plain; charset=UTF-8 Cc: websec@ietf.org, ietf-http-wg@w3.org, Web Payments CG Subject: Re: [websec] Web Keys and HTTP Signatures X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jul 2013 00:22:06 -0000 In the IETF Websec WG we call the use of MACs to bind requests (and responses) to sessions: "session continuation". There have been... many specific proposals and even deployed protocols, like yours. We really do need a standard method for session continuation. Session continuation is predicated on having a session key already exchanged, possibly by an authentication mechanism. We'd like to separate the two things: session continuation on the one hand, and key exchange (and authentication) on the other. If your protocol is mature enough it might well be the one we should adopt. I urge you to subscribe to websec@ietf.org and help us :) Nico -- From internet-drafts@ietf.org Sun Jul 7 22:26:55 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84CEE21F9FEA; Sun, 7 Jul 2013 22:26:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.516 X-Spam-Level: X-Spam-Status: No, score=-102.516 tagged_above=-999 required=5 tests=[AWL=0.084, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WR4lvI4KtTbe; Sun, 7 Jul 2013 22:26:55 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CEE321F9DD3; Sun, 7 Jul 2013 22:26:55 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.51.p2 Message-ID: <20130708052654.13662.45967.idtracker@ietfa.amsl.com> Date: Sun, 07 Jul 2013 22:26:54 -0700 Cc: websec@ietf.org Subject: [websec] I-D Action: draft-ietf-websec-session-continue-prob-00.txt X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jul 2013 05:26:55 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Web Security Working Group of the IETF. Title : Hypertext Transport Protocol (HTTP) Session Continuation= : Problem Statement Author(s) : Nicolas Williams Filename : draft-ietf-websec-session-continue-prob-00.txt Pages : 13 Date : 2013-07-07 Abstract: One of the most often talked about problems in web security is "cookies". Web cookies are a method of associating requests with "sessions" that may have been authenticated somehow. Cookies are a form of bearer token that leave much to be desired. This document describes the session "continuation" problem for the HyperText Transport Protocol (HTTP). The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-websec-session-continue-prob There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-websec-session-continue-prob-00 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From ynir@checkpoint.com Sun Jul 7 22:38:08 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0B2D11E8186 for ; Sun, 7 Jul 2013 22:38:08 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.539 X-Spam-Level: X-Spam-Status: No, score=-10.539 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iQm-lQdsrfTz for ; Sun, 7 Jul 2013 22:38:04 -0700 (PDT) Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 07B1E11E8188 for ; Sun, 7 Jul 2013 22:38:02 -0700 (PDT) Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r685bmGe006168 for ; Mon, 8 Jul 2013 08:38:01 +0300 X-CheckPoint: {51DA502B-2B-1B221DC2-1FFFF} Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.48]) by IL-EX10.ad.checkpoint.com ([169.254.2.91]) with mapi id 14.02.0342.003; Mon, 8 Jul 2013 08:37:53 +0300 From: Yoav Nir To: IETF WebSec WG Thread-Topic: Call for adoption: draft-ietf-websec-session-continue-prob-00 Thread-Index: AQHOe51K2fjJqAHy/0+f/EfC93Qceg== Date: Mon, 8 Jul 2013 05:37:52 +0000 Message-ID: <30F10539-AE45-48C6-A1ED-4914BDFB4156@checkpoint.com> References: <20130708052654.13662.45967.idtracker@ietfa.amsl.com> In-Reply-To: <20130708052654.13662.45967.idtracker@ietfa.amsl.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.31.24.110] x-kse-antivirus-interceptor-info: protection disabled x-cpdlp: 11224829e3e7ac92b6e03f1d303ddc61f0acb0259e Content-Type: text/plain; charset="us-ascii" Content-ID: <5A8E0AED1B01194E93E0D614EBF14511@ad.checkpoint.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: [websec] Call for adoption: draft-ietf-websec-session-continue-prob-00 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jul 2013 05:38:09 -0000 Hi all This has been submitted with a websec filename, but note that this is not (= yet) on our charter. At the Orlando meeting, we discussed some of the security issues with keepi= ng HTTP sessions using cookies. There was consensus in the room that this i= s a problem that needs solving. Nicolas Williams, Phillip Hallam-Baker, and= Yaron Sheffer volunteered to write a problem statement, and this is it. Th= e message we got from our AD is that first we should show that the working = group has the time and energy to work on solving this problem, and then we = can add this to our charter. So please have a look and this document, and answer the following: - Is this a good starting point for the problem statement? - Will you be willing to review the problem statement? - Will you be willing to read multiple solution proposals to help the work= ing group choose? - Will you be willing to review the solution document? We will have a chance to discuss this in Berlin, but it would be great if w= e have a rough measure of how much energy we have. Thanks Tobias and Yoav On Jul 8, 2013, at 8:26 AM, internet-drafts@ietf.org wrote: >=20 > A New Internet-Draft is available from the on-line Internet-Drafts direct= ories. > This draft is a work item of the Web Security Working Group of the IETF. >=20 > Title : Hypertext Transport Protocol (HTTP) Session Continuati= on: Problem Statement > Author(s) : Nicolas Williams > Filename : draft-ietf-websec-session-continue-prob-00.txt > Pages : 13 > Date : 2013-07-07 >=20 > Abstract: > One of the most often talked about problems in web security is > "cookies". Web cookies are a method of associating requests with > "sessions" that may have been authenticated somehow. Cookies are a > form of bearer token that leave much to be desired. This document > describes the session "continuation" problem for the HyperText > Transport Protocol (HTTP). >=20 >=20 > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-websec-session-continue-prob >=20 > There's also a htmlized version available at: > http://tools.ietf.org/html/draft-ietf-websec-session-continue-prob-00 >=20 >=20 > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ From ynir@checkpoint.com Sun Jul 7 22:40:51 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2749811E8186 for ; Sun, 7 Jul 2013 22:40:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.541 X-Spam-Level: X-Spam-Status: No, score=-10.541 tagged_above=-999 required=5 tests=[AWL=0.058, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CutY8LoWoEU2 for ; Sun, 7 Jul 2013 22:40:46 -0700 (PDT) Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id B13CA21F9BBD for ; Sun, 7 Jul 2013 22:40:45 -0700 (PDT) Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r685ecCl007369 for ; Mon, 8 Jul 2013 08:40:38 +0300 X-CheckPoint: {51DA50D6-B-1B221DC2-1FFFF} Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.48]) by IL-EX10.ad.checkpoint.com ([169.254.2.91]) with mapi id 14.02.0342.003; Mon, 8 Jul 2013 08:40:38 +0300 From: Yoav Nir To: IETF WebSec WG Thread-Topic: [websec] Call for adoption: draft-ietf-websec-session-continue-prob-00 Thread-Index: AQHOe52s+b7dZBBWJUWpKSg43MuMrw== Date: Mon, 8 Jul 2013 05:40:37 +0000 Message-ID: References: <20130708052654.13662.45967.idtracker@ietfa.amsl.com> <30F10539-AE45-48C6-A1ED-4914BDFB4156@checkpoint.com> In-Reply-To: <30F10539-AE45-48C6-A1ED-4914BDFB4156@checkpoint.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.31.24.110] x-kse-antivirus-interceptor-info: protection disabled x-cpdlp: 11fcb890ab2dcc8d94b00a64c525bcdec82e97109b Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [websec] Call for adoption: draft-ietf-websec-session-continue-prob-00 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jul 2013 05:40:51 -0000 And I'll start the ball rolling, buy answering yes (with no hats) to all qu= estions. On Jul 8, 2013, at 8:37 AM, Yoav Nir wrote: > Hi all >=20 > This has been submitted with a websec filename, but note that this is not= (yet) on our charter. >=20 > At the Orlando meeting, we discussed some of the security issues with kee= ping HTTP sessions using cookies. There was consensus in the room that this= is a problem that needs solving. Nicolas Williams, Phillip Hallam-Baker, a= nd Yaron Sheffer volunteered to write a problem statement, and this is it. = The message we got from our AD is that first we should show that the workin= g group has the time and energy to work on solving this problem, and then w= e can add this to our charter. >=20 > So please have a look and this document, and answer the following: > - Is this a good starting point for the problem statement? > - Will you be willing to review the problem statement? > - Will you be willing to read multiple solution proposals to help the wor= king group choose? > - Will you be willing to review the solution document? >=20 > We will have a chance to discuss this in Berlin, but it would be great if= we have a rough measure of how much energy we have. >=20 > Thanks >=20 > Tobias and Yoav >=20 > On Jul 8, 2013, at 8:26 AM, internet-drafts@ietf.org wrote: >=20 >>=20 >> A New Internet-Draft is available from the on-line Internet-Drafts direc= tories. >> This draft is a work item of the Web Security Working Group of the IETF. >>=20 >> Title : Hypertext Transport Protocol (HTTP) Session Continuat= ion: Problem Statement >> Author(s) : Nicolas Williams >> Filename : draft-ietf-websec-session-continue-prob-00.txt >> Pages : 13 >> Date : 2013-07-07 >>=20 >> Abstract: >> One of the most often talked about problems in web security is >> "cookies". Web cookies are a method of associating requests with >> "sessions" that may have been authenticated somehow. Cookies are a >> form of bearer token that leave much to be desired. This document >> describes the session "continuation" problem for the HyperText >> Transport Protocol (HTTP). >>=20 >>=20 >> The IETF datatracker status page for this draft is: >> https://datatracker.ietf.org/doc/draft-ietf-websec-session-continue-prob >>=20 >> There's also a htmlized version available at: >> http://tools.ietf.org/html/draft-ietf-websec-session-continue-prob-00 >>=20 >>=20 >> Internet-Drafts are also available by anonymous FTP at: >> ftp://ftp.ietf.org/internet-drafts/ >=20 > _______________________________________________ > websec mailing list > websec@ietf.org > https://www.ietf.org/mailman/listinfo/websec >=20 > Email secured by Check Point From alexey.melnikov@isode.com Mon Jul 8 10:11:48 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 611E421F9D49 for ; Mon, 8 Jul 2013 10:11:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.149 X-Spam-Level: X-Spam-Status: No, score=-101.149 tagged_above=-999 required=5 tests=[AWL=-1.450, BAYES_00=-2.599, J_CHICKENPOX_33=0.6, MANGLED_LIST=2.3, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28+ldkSzBOJd for ; Mon, 8 Jul 2013 10:11:47 -0700 (PDT) Received: from waldorf.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 7AEA921F9D46 for ; Mon, 8 Jul 2013 10:11:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1373303505; d=isode.com; s=selector; i=@isode.com; bh=JUr/ystuNnQu83LuzSg9RI280+zHO/NNNwgA2C1ojEg=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=gYPAAVIWZNxaYIywBNztcxPI+VgMBHeP1S518HDNEuZqiuJPSvwYI2h35/sDZXJxCCmQx4 jrt9lTSw4cOrX2fEpAAbWMq0cRzRMf6N+oincBS7QHUji+kptbpBEAX3AchM88OORiaWsJ zKVz7EwpqgXPXxX44P//yCHTR7aldEg=; Received: from [172.16.1.29] (shiny.isode.com [62.3.217.250]) by waldorf.isode.com (submission channel) via TCP with ESMTPA id ; Mon, 8 Jul 2013 18:11:45 +0100 Message-ID: <51DAF2DA.8050708@isode.com> Date: Mon, 08 Jul 2013 18:11:54 +0100 From: Alexey Melnikov User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130620 Thunderbird/17.0.7 To: IETF WebSec WG MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [websec] Review of draft-ietf-websec-key-pinning-06 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jul 2013 17:11:48 -0000 In 2.1, 1st para: use of SHOULD is not needed. This is already an extension. What is the point of violating the SHOULD? It seems to be the same as not supporting the extension. End of section 2.1: base-64 needs a Normative reference. 2.1.3: next to the last paragraph: "MAY fail to report" is not a proper use of RFC 2119 keyword, as this is not an implementation choice. Just use lowercase "may" here. sha-1 and sha-256 need Normative references. In 2.5: the 3rd para from the end: how is this different from the 4th para? It seems to specify a weaker requirement. Typo: max.age JSON (Section 3) needs a Normative reference. Section 5 (IANA) contradicts section 2.1. So actually there are IANA Considerations. You should mark Section 8 as requiring removal by RFC-Editor, as this section is not useful in the final document (RFC). From palmer@google.com Mon Jul 8 16:29:49 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9890E21F9B9B for ; Mon, 8 Jul 2013 16:29:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.922 X-Spam-Level: X-Spam-Status: No, score=0.922 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_33=0.6, MANGLED_LIST=2.3, NO_RELAYS=-0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x6OeSuk-9t4Q for ; Mon, 8 Jul 2013 16:29:49 -0700 (PDT) Received: from mail-vc0-x22b.google.com (mail-vc0-x22b.google.com [IPv6:2607:f8b0:400c:c03::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 1C05311E80E1 for ; Mon, 8 Jul 2013 16:29:49 -0700 (PDT) Received: by mail-vc0-f171.google.com with SMTP id gd11so3825559vcb.30 for ; Mon, 08 Jul 2013 16:29:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=bCoqoH2QnW5n74N/sD9jGXkajoxB7vr91LWoFf0gXso=; b=UVUgJyXa12zNBuHP5mW4xfTpMNj6x3QP4wERu7I70m1AE7TR0luCczWVSOovD5LVdk gdIVm8c4oHJMsWNQGDd0JdpGga07YcbLE7Dvam/4tuaVyqeMC3eEM87/Ll/2j68rY+Nv sNeH8PmimXjLGcoaYcCyO7vdfMmjfKUZETgeataBz/sFLFGjf7XgC+1ZOUPrxF16emW+ WbQYD2txsOSqHrxUmiagw/2xDECr3R+aUoDhtrVVyeM84PcPWxgFFCuVPxesDLOYbcNU xJWBfcQFJnml/DhgD4xf8qlE2bDqnOmBPN6tyXeViAb4cXR/ItM3W6VR2u+JtYHS7KDM 08YQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=bCoqoH2QnW5n74N/sD9jGXkajoxB7vr91LWoFf0gXso=; b=RnKo757a9TPa5wmtrxMakwVoYyg9lnTBTIwNyfflHcrG6GoupkksnWnaQwDNF4OZ7W +NNBNwyo2wOo88S/F+BP5MtSsIbnNjR8HAvHusU0CBGczgByDwc1nBzxRzpQDC/4mL1G Ow/XEgY+ySi1rCCbDUTl5R32IcSUw8V0hOADvYb4mxfKuaWshOQ+0jSmI0cI54780rl+ RwNmgcFbUVSY/rCCV4T5kyGMT1JTR2hCMpLgxiMCGt92LCjYJ4ee9oCeydAlvKckxHfk hq+juyaVR1Z1HlLHY4uRdalRpv1M8H19Jkqw5aGs5IhipO46JSrOI/nBZkVzUBScBXFs AYZA== MIME-Version: 1.0 X-Received: by 10.220.66.136 with SMTP id n8mr15168357vci.49.1373326188400; Mon, 08 Jul 2013 16:29:48 -0700 (PDT) Received: by 10.220.108.135 with HTTP; Mon, 8 Jul 2013 16:29:48 -0700 (PDT) In-Reply-To: <51DAF2DA.8050708@isode.com> References: <51DAF2DA.8050708@isode.com> Date: Mon, 8 Jul 2013 16:29:48 -0700 Message-ID: From: Chris Palmer To: Alexey Melnikov Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQnDBwM1QkZAloxiKsC9w4wMefhnw43d8uzv7kPCAFyKuWL7+rWusDCXPb5+kFo5co/5Ua8qn4xclV19fGypY/R1GxSGY2TYff89Ku8wVIGW4bfM/CiwErb12OtZ7Rl6RF6kBc3SOwo5ZHpVJV2YUx98NykZHCQkP0jt1ewl9JtT3yX00493hJVzHpICOTdfivKBdeqI Cc: IETF WebSec WG Subject: Re: [websec] Review of draft-ietf-websec-key-pinning-06 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jul 2013 23:29:49 -0000 Thanks, Alexey! I will soon upload a version -07 that addresses most of your points and which also adds a Privacy Considerations section as requested by previous commenters. Notes and questions below: On Mon, Jul 8, 2013 at 10:11 AM, Alexey Melnikov wrote: > In 2.1, 1st para: use of SHOULD is not needed. This is already an extension. > What is the point of violating the SHOULD? It seems to be the same as not > supporting the extension. Lowercased to "should". > End of section 2.1: base-64 needs a Normative reference. Added and cited. > 2.1.3: next to the last paragraph: "MAY fail to report" is not a proper use > of RFC 2119 keyword, as this is not an implementation choice. Just use > lowercase "may" here. Done. > sha-1 and sha-256 need Normative references. Added and cited. > In 2.5: the 3rd para from the end: how is this different from the 4th para? > It seems to specify a weaker requirement. Can you say which paragraphs explicitly? I'm having a hard time figuring out which ones you mean. Thanks. > Typo: max.age Fixed. > JSON (Section 3) needs a Normative reference. Added and cited. > Section 5 (IANA) contradicts section 2.1. So actually there are IANA > Considerations. Added a comment in Section 5 to that effect. > You should mark Section 8 as requiring removal by RFC-Editor, as this > section is not useful in the final document (RFC). At least some RFCs do have Acknowledgements sections? Is there a standard way of telling the RFC-Editor to remove the section? From internet-drafts@ietf.org Mon Jul 8 16:39:31 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9ACD21F9B94; Mon, 8 Jul 2013 16:39:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.477 X-Spam-Level: X-Spam-Status: No, score=-102.477 tagged_above=-999 required=5 tests=[AWL=0.123, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l+teUJWQuK8f; Mon, 8 Jul 2013 16:39:30 -0700 (PDT) Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 38CFF21F9A31; Mon, 8 Jul 2013 16:39:30 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable From: internet-drafts@ietf.org To: i-d-announce@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 4.51.p2 Message-ID: <20130708233930.18502.4410.idtracker@ietfa.amsl.com> Date: Mon, 08 Jul 2013 16:39:30 -0700 Cc: websec@ietf.org Subject: [websec] I-D Action: draft-ietf-websec-key-pinning-07.txt X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Jul 2013 23:39:31 -0000 A New Internet-Draft is available from the on-line Internet-Drafts director= ies. This draft is a work item of the Web Security Working Group of the IETF. Title : Public Key Pinning Extension for HTTP Author(s) : Chris Evans Chris Palmer Ryan Sleevi Filename : draft-ietf-websec-key-pinning-07.txt Pages : 23 Date : 2013-07-08 Abstract: This memo describes an extension to the HTTP protocol allowing web host operators to instruct user agents (UAs) to remember ("pin") the hosts' cryptographic identities for a given period of time. During that time, UAs will require that the host present a certificate chain including at least one Subject Public Key Info structure whose fingerprint matches one of the pinned fingerprints for that host. By effectively reducing the number of authorities who can authenticate the domain during the lifetime of the pin, pinning may reduce the incidence of man-in-the-middle attacks due to compromised Certification Authorities. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning There's also a htmlized version available at: http://tools.ietf.org/html/draft-ietf-websec-key-pinning-07 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-websec-key-pinning-07 Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From jbonneau@gmail.com Mon Jul 8 21:24:09 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 879E921F9BA6 for ; Mon, 8 Jul 2013 21:24:09 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8WB57uiyjyDL for ; Mon, 8 Jul 2013 21:24:08 -0700 (PDT) Received: from mail-qa0-x22c.google.com (mail-qa0-x22c.google.com [IPv6:2607:f8b0:400d:c00::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 0C6F921F9B9C for ; Mon, 8 Jul 2013 21:24:07 -0700 (PDT) Received: by mail-qa0-f44.google.com with SMTP id o13so6176483qaj.10 for ; Mon, 08 Jul 2013 21:24:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=ytY4t3U9FS9n2U4TrHa+wodQXVhef3t9rIcoh/JQc8Y=; b=NJwjBphT4PKQbYYlEcrW8Xb4aXeEYZkmmdnpKqv60mDUyoQ8oUvLa667isMZhV3V7W X099ZUcSdvE0QDT3i/jBRLmeu6B9F8ioygAn/vAVW7qgOdJVPLRuxo9Q2K5g9d+4S+Eh dIAAh1RoLc6Aj1KI/NmbJ8FgjudrJuO9f1rgEnVIAeNiAk8oXzBm62TgViraWg6JwxL9 IyAELiZhFcku4BL2RrIMgYa01Wn0AgNZ/HJcKFp8dAq5MBxvNdXDGBC9kXWMqfZFf5Mm YvSYRnyf8NZaVoR4GgrB4ik5KaFJ4kE3MjcNWZ2qonDruR1+cjv/aSE9OXDvqhhvW4Em Upow== X-Received: by 10.224.172.198 with SMTP id m6mr21637426qaz.44.1373343846316; Mon, 08 Jul 2013 21:24:06 -0700 (PDT) MIME-Version: 1.0 Received: by 10.49.120.199 with HTTP; Mon, 8 Jul 2013 21:23:46 -0700 (PDT) In-Reply-To: <51C7F08F.2090205@gondrom.org> References: <51C7F08F.2090205@gondrom.org> From: Joseph Bonneau Date: Tue, 9 Jul 2013 00:23:46 -0400 Message-ID: To: Tobias Gondrom , websec@ietf.org Content-Type: multipart/alternative; boundary=047d7b5d8c7f1d450f04e10c889a Subject: Re: [websec] HPKP and privacy X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jul 2013 04:24:09 -0000 --047d7b5d8c7f1d450f04e10c889a Content-Type: text/plain; charset=UTF-8 There is now a section on privacy considerations in the new draft ( http://tools.ietf.org/html/draft-ietf-websec-key-pinning-07#section-5). The text does a nice job explaining the N-pinned-subdomains-as-supercookie attack, and also using report-uri as a tracking mechanism. There is no advice to implementers, however. Is there a reason not to make explicit that user agents SHOULD remove pins for privacy reasons, something along the lines of the text I suggested previously: > Thinking of (a) and (b) is it worth adding a section to the spec on > privacy considerations? The high points would be that (a) Browsers SHOULD > remove dynamic pins for a domain whenever users request deletion of other > browser-history state for that domain, such as a "clear history" request or > the end of a private browsing session. (b) Browsers MAY decline to note > pins for privacy reasons for third-party domains while browsing, similar to > third-party cookie policies. > > Cheers, Joe --047d7b5d8c7f1d450f04e10c889a Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable There is now a section on privacy considerations in the new draft (http://tools.ietf.org/html/draft-ietf-websec-key-pinning-= 07#section-5). The text does a nice job explaining the N-pinned-subdoma= ins-as-supercookie attack, and also using report-uri as a tracking mechanis= m.

There is no advice to implementers, however. Is there a reas= on not to make explicit that user agents SHOULD remove pins for privacy rea= sons, something along the lines of the text I suggested previously:

Thinking of (a) and (b) is it worth adding a section to the spec on privacy considerations? The high points would be that (a) Browsers SHOULD remove dynamic pins for a domain whenever users request deletion of other browser-history state for that domain, such as a "clear history" request or the end of a private browsing session. (b) Browsers MAY decline to note pins for privacy reasons for third-party domains while browsing, similar to third-party cookie policies.=C2=A0

Cheers,

Joe

--047d7b5d8c7f1d450f04e10c889a-- From ynir@checkpoint.com Mon Jul 8 21:57:27 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDEC421F9CF3 for ; Mon, 8 Jul 2013 21:57:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.544 X-Spam-Level: X-Spam-Status: No, score=-10.544 tagged_above=-999 required=5 tests=[AWL=0.055, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UdW5IyWbwPMV for ; Mon, 8 Jul 2013 21:57:19 -0700 (PDT) Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 69F8121F9CEC for ; Mon, 8 Jul 2013 21:57:18 -0700 (PDT) Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r694vGKK007719; Tue, 9 Jul 2013 07:57:16 +0300 X-CheckPoint: {51DB982B-1-1B221DC2-1FFFF} Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.48]) by IL-EX10.ad.checkpoint.com ([169.254.2.91]) with mapi id 14.02.0342.003; Tue, 9 Jul 2013 07:57:15 +0300 From: Yoav Nir To: Chris Palmer Thread-Topic: [websec] Review of draft-ietf-websec-key-pinning-06 Thread-Index: AQHOe/5Awc18hwEkn0CDNhvqUptgEJlbO8sAgABbfgA= Date: Tue, 9 Jul 2013 04:57:15 +0000 Message-ID: <1F476385-849E-41F0-9B8C-A69A9C36FA71@checkpoint.com> References: <51DAF2DA.8050708@isode.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.31.21.208] x-kse-antivirus-interceptor-info: protection disabled x-cpdlp: 11c11bfe0cb7a57dde1b583c2a8a556c4ce2d2ac31 Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: IETF WebSec WG Subject: Re: [websec] Review of draft-ietf-websec-key-pinning-06 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jul 2013 04:57:27 -0000 On Jul 9, 2013, at 2:29 AM, Chris Palmer wrote: >=20 >> In 2.5: the 3rd para from the end: how is this different from the 4th pa= ra? >> It seems to specify a weaker requirement. >=20 > Can you say which paragraphs explicitly? I'm having a hard time > figuring out which ones you mean. Thanks. 3rd Para: "If the Public-Key-Pins response header field does not meet all t= hree of these criteria, the UA MUST NOT note the host as a Pinned Host." 4th Para: "The UA MUST ignore Public-Key-Pins response header fields receiv= ed on connections that do not meet the first criterion." >=20 >> You should mark Section 8 as requiring removal by RFC-Editor, as this >> section is not useful in the final document (RFC). >=20 > At least some RFCs do have Acknowledgements sections? >=20 > Is there a standard way of telling the RFC-Editor to remove the section? The standard way is to add a sentence like: [RFC EDITOR: PLEASE REMOVE THIS SECTION] And don't worry, just before the RFC is published, you get to review that t= he RFC editor made all the right changes. And I think Alexey meant section 9 ("What's changed") rather than section 8= . RFCs do have acknowledgement sections. Hope this helps Yoav= From alexey.melnikov@isode.com Tue Jul 9 01:09:41 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DB5F21F9EF4 for ; Tue, 9 Jul 2013 01:09:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.901 X-Spam-Level: X-Spam-Status: No, score=-101.901 tagged_above=-999 required=5 tests=[AWL=-0.698, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u9UeOCGGazvZ for ; Tue, 9 Jul 2013 01:09:36 -0700 (PDT) Received: from statler.isode.com (statler.isode.com [62.3.217.254]) by ietfa.amsl.com (Postfix) with ESMTP id AE09F21F9EEF for ; Tue, 9 Jul 2013 01:09:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1373357369; d=isode.com; s=selector; i=@isode.com; bh=f04kyx+apYceBWnecWAPahHmTNIbcLm3DMN0PaGRAx4=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=vsPPyV3xhhOrjx12oHNPh3R6oPu2kO3IvpREyW7wQ7WnQ30vc5MxwKtIL2nXzVNGdeXDxX DT+w0NrYbrXVsS41Go2qsjOKhBa/zK4aM2j0Dz37Y8Lu9CqkdLlq2bBAd2ne9Z90mpWJwB wereduFgJY0FYxrjVYKUZ7Bf5HWLljY=; Received: from [10.210.28.155] ((unknown) [212.183.128.178]) by statler.isode.com (submission channel) via TCP with ESMTPA id ; Tue, 9 Jul 2013 09:09:29 +0100 X-SMTP-Protocol-Errors: NORDNS References: <51DAF2DA.8050708@isode.com> <1F476385-849E-41F0-9B8C-A69A9C36FA71@checkpoint.com> In-Reply-To: <1F476385-849E-41F0-9B8C-A69A9C36FA71@checkpoint.com> Message-Id: <8C30B0D0-360D-4188-8758-1C1E285B53C2@isode.com> X-Mailer: iPhone Mail (10A523) From: Alexey Melnikov Date: Tue, 9 Jul 2013 09:09:52 +0100 To: Yoav Nir MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Cc: IETF WebSec WG Subject: Re: [websec] Review of draft-ietf-websec-key-pinning-06 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jul 2013 08:09:41 -0000 On 9 Jul 2013, at 05:57, Yoav Nir wrote: > On Jul 9, 2013, at 2:29 AM, Chris Palmer wrote: >>> You should mark Section 8 as requiring removal by RFC-Editor, as this >>> section is not useful in the final document (RFC). >>=20 >> At least some RFCs do have Acknowledgements sections? >>=20 >> Is there a standard way of telling the RFC-Editor to remove the section? >=20 > The standard way is to add a sentence like: > [RFC EDITOR: PLEASE REMOVE THIS SECTION] >=20 > And don't worry, just before the RFC is published, you get to review that t= he RFC editor made all the right changes. >=20 > And I think Alexey meant section 9 ("What's changed") Oh yes, you are correct. > rather than section 8. RFCs do have acknowledgement sections. From tom@ritter.vg Tue Jul 9 06:29:42 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FAF411E812A for ; Tue, 9 Jul 2013 06:29:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.049 X-Spam-Level: X-Spam-Status: No, score=-1.049 tagged_above=-999 required=5 tests=[AWL=0.929, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14cqiW9IiSfT for ; Tue, 9 Jul 2013 06:29:41 -0700 (PDT) Received: from mail-pd0-x235.google.com (mail-pd0-x235.google.com [IPv6:2607:f8b0:400e:c02::235]) by ietfa.amsl.com (Postfix) with ESMTP id C3AAB11E8128 for ; Tue, 9 Jul 2013 06:29:41 -0700 (PDT) Received: by mail-pd0-f181.google.com with SMTP id 14so5244887pdj.26 for ; Tue, 09 Jul 2013 06:29:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=0XnKwsw6in4a7QJOkZ70fGlEa72x+aVqmeXX7HUkpZo=; b=RGg/6iN6gDlOfW0zcnKT1nl48JyIAcDK5eZb8dSCCbgbfnYseD46NbwUJgDTW2hiR1 wn+es1vu0a85eVkphQ1kbf9+ok+uhl8J2LaVG2otgF2T/xGgZhG9BNuA8eBeGOTn2FvG wnnKp0rX1c1L3Ey4LPXDWz9G/h/NBijOWo1Nc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:x-gm-message-state; bh=0XnKwsw6in4a7QJOkZ70fGlEa72x+aVqmeXX7HUkpZo=; b=SL9+UQt18s1pECiWbPvCy2A0gXb/fp5l/S4JePp8HhAWh8iKxpUg+b4y7/0XSGMvzN T9mKzBsJDxOU2zU7o7rnAoPTdPL51mrCYzlxuz9bN7OYryEL9QXQVqHTcC4xNB3UoYBh dywD7wCtoFZOhL0EpBi11V1uV1Zq6BdihIcqz1jgRI9qr0xcR7375m1mmc2R6Uf90T2+ orO15oUEZHb8royVQLGBhKvJW0E1LbDFiE6X+CtMNL6pEwy2HN0tPaVhKSFwy+iXFajs wbrGZyJMhfHMuBEMnqfRw65wIyvQDcNHQxusxCEmHdwkVF2t+avg42FgU1sBUmSQEKTU FTsQ== X-Received: by 10.68.252.194 with SMTP id zu2mr26385312pbc.58.1373376581122; Tue, 09 Jul 2013 06:29:41 -0700 (PDT) MIME-Version: 1.0 Received: by 10.68.72.134 with HTTP; Tue, 9 Jul 2013 06:29:21 -0700 (PDT) In-Reply-To: References: <51C7F08F.2090205@gondrom.org> From: Tom Ritter Date: Tue, 9 Jul 2013 09:29:21 -0400 Message-ID: To: Joseph Bonneau Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQlRroiw560U6tmOGz8e9mOnCB41tjcW2GA8iTFjPDmb+y0ExLDt0bobHGFtV6htfKYjCdT6 Cc: websec@ietf.org Subject: Re: [websec] HPKP and privacy X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jul 2013 13:29:42 -0000 On 9 July 2013 00:23, Joseph Bonneau wrote: > There is no advice to implementers, however. Is there a reason not to make > explicit that user agents SHOULD remove pins for privacy reasons, something > along the lines of the text I suggested previously: It states that UAs must let people clear data: >UAs MUST have a way for users to clear current pins for Pinned Hosts. >UAs SHOULD have a way for users to query the current state of Pinned >Hosts. When *should* a user agent automatically remove pins for privacy reasons? Any algorithm anyone comes up with will be known, and will be bypassed with multiple domains, or whatever. -tom From palmer@google.com Tue Jul 9 14:43:12 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAA7311E817E for ; Tue, 9 Jul 2013 14:43:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.528 X-Spam-Level: X-Spam-Status: No, score=-0.528 tagged_above=-999 required=5 tests=[AWL=1.450, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I886ed4R5r82 for ; Tue, 9 Jul 2013 14:43:12 -0700 (PDT) Received: from mail-ve0-x233.google.com (mail-ve0-x233.google.com [IPv6:2607:f8b0:400c:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id 7174711E817D for ; Tue, 9 Jul 2013 14:43:07 -0700 (PDT) Received: by mail-ve0-f179.google.com with SMTP id d10so5056912vea.24 for ; Tue, 09 Jul 2013 14:43:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=XsA1rg2qdi/9S9/Km7fj6JB1rjm1KC2xBw0kTbJVr4U=; b=LQQykmCwsg97XnN1m8bqsYaurIgBzqlPubNz36uPc2fSVuRKvNQuRjW3FJEGqqMyDz EwDhu8bvxZsJmsu5Hn1W5z4XhRq0f+6xUx36Wm2r9LKkfuPKEsCrscmKD0utFPEFcXiz 2cyGgOQiRwWXbOvQhky6yZlZl52W8Vptpjq1UhsVsmUIhxe46wnHirTOupybmWD5DVIk 40QYzPhG+t7iqxEGrb5rC5el6up5GhhSt4WeQfD7CnGOhGPLKefKVfdbUhbP+G1R6oYI SQgZ5mDSY27rX+wSmwGVuOzFlc7g1ODAl6XJFKk5ge2GPRsPgdY7Nx9c32sBfdfbrPZS odHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=XsA1rg2qdi/9S9/Km7fj6JB1rjm1KC2xBw0kTbJVr4U=; b=ML3cMAvYjJwRLWGwEa9USzZM02DCgh5xPbVBoyntKrxfkvbvyatrQPrXgZG6sVqU8Y N97Ib7NhQWrxSfjIFooeNsEut4tu/kf3ZaJiU2P43EaOzYDqvQNuK01NG26rimpxy8ra wv+8pDSjJcG5d/UK3VxY33R2yEvyP/oAJRUdPRLVMnFo1j5I8DX7hX760rXUOw8uzo2C OXf1GujsTsqdH6EYUicp3xV8uBrOvz5fz+/pFH3BjVxOrJqXs3+wi7c8YyHfJmZngOLv WPCni8oX3hXlLym5eiSDxQ30abXfmdc6iRKNQg/efMm1bEkXVjZe/oWEEECXSHN+ow4A /CMQ== MIME-Version: 1.0 X-Received: by 10.220.111.206 with SMTP id t14mr17726834vcp.77.1373406186891; Tue, 09 Jul 2013 14:43:06 -0700 (PDT) Received: by 10.220.108.135 with HTTP; Tue, 9 Jul 2013 14:43:06 -0700 (PDT) In-Reply-To: References: <51C7F08F.2090205@gondrom.org>

Date: Tue, 9 Jul 2013 14:43:06 -0700 Message-ID: From: Chris Palmer To: Tom Ritter Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQkl2j+lNuVpNSiqEiEWXJrOSGw1KQV1bZj8UsXaqf9cYRVP+AXXqvFo2E78t0c/mR44uvnQFFM7BJYPCXdCZ6v6E+I9MZHEUt0hP70G1F4SkzvRkGvsUbMuFP9JDoDZTagGaywl9PBC2kyafOSMyBjyutclRxyrTijRf9hreIFBw/gKBI28kuRf5wto/ZdtrGveuH+r Cc: IETF WebSec WG Subject: Re: [websec] HPKP and privacy X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jul 2013 21:43:13 -0000 On Tue, Jul 9, 2013 at 6:29 AM, Tom Ritter wrote: >> There is no advice to implementers, however. Is there a reason not to make >> explicit that user agents SHOULD remove pins for privacy reasons, something >> along the lines of the text I suggested previously: > > It states that UAs must let people clear data: Yes. > When *should* a user agent automatically remove pins for privacy > reasons? Any algorithm anyone comes up with will be known, and will > be bypassed with multiple domains, or whatever. Yes. Unfortunately, I don't see a way to have both HPKP and automatic defense against this kind of super-cookie. The problem exists for HSTS, too. From jbonneau@gmail.com Tue Jul 9 15:54:56 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF11321F9607 for ; Tue, 9 Jul 2013 15:54:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CxJnrXM3cRK3 for ; Tue, 9 Jul 2013 15:54:46 -0700 (PDT) Received: from mail-vc0-x22f.google.com (mail-vc0-x22f.google.com [IPv6:2607:f8b0:400c:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id B21FA21F9A72 for ; Tue, 9 Jul 2013 15:54:30 -0700 (PDT) Received: by mail-vc0-f175.google.com with SMTP id hr11so4720350vcb.6 for ; Tue, 09 Jul 2013 15:54:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=79PRz0wnUEhY3POM1MK90ebGy7bMloTU1zuBXzni+ww=; b=sjhsCNpSj4WlFKEHlLbGIOI5szIvKDb+CeJNAQL2qcMVDMSJ4db1xnOIOWmjaRWWsv 0lh0MrQrKRwESpOpXk9K3TEvwDjarohbrBhQlIR5Hfe0zpfGan+Hz6J1ykQ9ckLeEGEN 1CY06pmNmyzTvigeiZnZe/TckSKRcnC5phnJBD2oCuTVv9p5habIrLlzOQ+wT5Gy7sgd rsDlKxYlrxmljO7bWJBpmHR4edq5SbiouypiIXhaIwkaKsaDVYpg3WvyytXtC+IFmd7E 11Wa5afzlS5bCTuHuE5+dhxjAHg7afGpdc3J2dDWM/EKt0+9edsqyekNsb3nsQ6QDtaF DCtg== X-Received: by 10.58.46.48 with SMTP id s16mr17762440vem.52.1373410468848; Tue, 09 Jul 2013 15:54:28 -0700 (PDT) MIME-Version: 1.0 Received: by 10.220.103.69 with HTTP; Tue, 9 Jul 2013 15:54:08 -0700 (PDT) In-Reply-To: References: <51C7F08F.2090205@gondrom.org>

From: Joseph Bonneau Date: Tue, 9 Jul 2013 18:54:08 -0400 Message-ID: To: Chris Palmer Content-Type: multipart/alternative; boundary=089e012945b0206aad04e11c0bcd Cc: IETF WebSec WG Subject: Re: [websec] HPKP and privacy X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jul 2013 22:54:56 -0000 --089e012945b0206aad04e11c0bcd Content-Type: text/plain; charset=UTF-8 > > It states that UAs must let people clear data: > > Yes. Ah I see this text now, I was confused since it's in a different section. > > When *should* a user agent automatically remove pins for privacy > > reasons? Any algorithm anyone comes up with will be known, and will > > be bypassed with multiple domains, or whatever. > > Yes. Unfortunately, I don't see a way to have both HPKP and automatic > defense against this kind of super-cookie. The problem exists for > HSTS, too. > I agree, but there are two things user agents SHOULD do at a minimum: (a) clear pins for domains whenever other domain-specific information is cleared for privacy reasons (delete history since time N, or private browsing mode) (b) not store pins in cases where cookies will not be rejected for privacy reasons (such as third-party cookie blocking policies). I don't think these are obvious to implementers so I would like to seem them in the spec. Joe --089e012945b0206aad04e11c0bcd Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

> It states that UAs must let people clear data:

Yes.

Ah I see this text now, I was co= nfused since it's in a different section.=C2=A0

=C2=A0

<= blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px= #ccc solid;padding-left:1ex">

> When *should* a user agent automatically remove pins for privacy
> reasons? =C2=A0Any algorithm anyone comes up with will be known, and w= ill
> be bypassed with multiple domains, or whatever.

Yes. Unfortunately, I don't see a way to have both HPKP and autom= atic
defense against this kind of super-cookie. The problem exists for
HSTS, too.

I agree, but there are two things user agents S= HOULD do at a minimum: (a) clear pins for domains whenever other domain-spe= cific information is cleared for privacy reasons (delete history since time= N, or private browsing mode) (b) not store pins in cases where cookies wil= l not be rejected for privacy reasons (such as third-party cookie blocking = policies). I don't think these are obvious to implementers so I would l= ike to seem them in the spec.

Joe

--089e012945b0206aad04e11c0bcd-- From sm@resistor.net Tue Jul 9 17:41:27 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A06C21F9D3A; Tue, 9 Jul 2013 17:41:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.597 X-Spam-Level: X-Spam-Status: No, score=-102.597 tagged_above=-999 required=5 tests=[AWL=0.002, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GeTzt+7M4mao; Tue, 9 Jul 2013 17:41:26 -0700 (PDT) Received: from mx.ipv6.elandsys.com (mx.ipv6.elandsys.com [IPv6:2001:470:f329:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7487121F9D35; Tue, 9 Jul 2013 17:41:26 -0700 (PDT) Received: from SUBMAN.resistor.net (IDENT:sm@localhost [127.0.0.1]) (authenticated bits=0) by mx.elandsys.com (8.14.5/8.14.5) with ESMTP id r6A0fE1j001199; Tue, 9 Jul 2013 17:41:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=opendkim.org; s=mail2010; t=1373416880; bh=SOubPN1CvNymPELAoGmiqs67sywGlwolHEwpC07iqvs=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=ycq4RCL/MMlLagEThg0EArxsHdMoxECI9AqhZ/FLcHtEAcBHKZN2OdvRLX1mG0kcn ehJ5EP7/sQAK1pF5DIRsVnrWa0FWd2BoUF8Irc9qF1lMLTdG6cDhxBPqbW13Fa/TOw OeizPRZGbitYHfShn8vchc2diM9jrB6KVoVJItNw= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=resistor.net; s=mail; t=1373416880; i=@resistor.net; bh=SOubPN1CvNymPELAoGmiqs67sywGlwolHEwpC07iqvs=; h=Date:To:From:Subject:Cc:In-Reply-To:References; b=uqgd8NOD1Rs6a9VY+M48HZyAJQS+peW5ZDLQ11a1cZKttCuJjSIcpyf9LuHyH+/7j OLXergPPOw2og4ZUGNHYac38OBQvOasNHwIJWki/kcL4aYUsHEaaMBl0AiPTTirA8q lxkHsz0d2mZvJkYg25pdTDuFy2DdB/0JoMDqaxbU= Message-Id: <6.2.5.6.2.20130709172646.0b2a0978@resistor.net> X-Mailer: QUALCOMM Windows Eudora Version 6.2.5.6 Date: Tue, 09 Jul 2013 17:38:34 -0700 To: Tom Ritter From: SM In-Reply-To: References: <51C7F08F.2090205@gondrom.org>

Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: ietf-privacy@ietf.org, websec@ietf.org Subject: Re: [websec] HPKP and privacy X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 00:41:27 -0000 Hi Tom, [Cc to privacy-nuts :-)] At 06:29 09-07-2013, Tom Ritter wrote: >On 9 July 2013 00:23, Joseph Bonneau wrote: > > There is no advice to implementers, however. Is there a reason not to make > > explicit that user agents SHOULD remove pins for privacy reasons, something > > along the lines of the text I suggested previously: > >It states that UAs must let people clear data: > > >UAs MUST have a way for users to clear current pins for Pinned Hosts. > >UAs SHOULD have a way for users to query the current state of Pinned > >Hosts. I read Section 5 and missed the above (it's in Section 7). Section 5 basically says that HPKP can be a super-cookie. It then explains two attack scenarios. I think that the privacy considerations should be made explicit. Regards, -sm From trevp@trevp.net Wed Jul 10 13:00:03 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F4B421F9E5A for ; Wed, 10 Jul 2013 13:00:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.976 X-Spam-Level: X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Vvg3X+150E8 for ; Wed, 10 Jul 2013 12:59:58 -0700 (PDT) Received: from mail-wg0-f43.google.com (mail-wg0-f43.google.com [74.125.82.43]) by ietfa.amsl.com (Postfix) with ESMTP id 5401521F99BB for ; Wed, 10 Jul 2013 12:59:57 -0700 (PDT) Received: by mail-wg0-f43.google.com with SMTP id z11so6309014wgg.10 for ; Wed, 10 Jul 2013 12:59:50 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:date:message-id:subject:from:to :content-type:x-gm-message-state; bh=VyuPDYq4m/NbiRA2bByr/ZeAm4I6NyatZjp7VCCsaaY=; b=aHNQVfyBDaVPGTqUpGO2ZHgyBiNXsVOAt/JvVdYLV4/tIfTuhk6GG1bfylIJhHTVJt XZSAn0/vV8mkrZvqFJTLWULqpgUzn+1+EWPO7O/+lwAJO8pWUqecJByuvSXbAAYLfigh l4J7Tc3X8VPijkAIxRYBwKxUVPgWGMrSh3m/3K9B/YB/8wU4Z9nL8ndiVArZfhAxTCP5 h5OcAJzRWb3fA8tb/rsCTnHiewy/vDLgRlEClWVzy7p5hDFFZnog5wq38LFZtZSCnaMG WmBC8P3TDrsfo7VSvULUblYG8SASKojP5aTSxR3Ji0mUs1wMM24x4GZbFa2K/2kYcBCH 1SXA== MIME-Version: 1.0 X-Received: by 10.180.101.170 with SMTP id fh10mr21045248wib.22.1373486390150; Wed, 10 Jul 2013 12:59:50 -0700 (PDT) Received: by 10.216.212.9 with HTTP; Wed, 10 Jul 2013 12:59:50 -0700 (PDT) X-Originating-IP: [50.37.26.202] Date: Wed, 10 Jul 2013 12:59:50 -0700 Message-ID: From: Trevor Perrin To: IETF WebSec WG Content-Type: multipart/alternative; boundary=14dae9cc96ec639c3404e12db859 X-Gm-Message-State: ALoCoQkjjP8r2uVlDBEVO2cnPNSEBEfoVdJTO12CKG5MsmD3y9y1xPUyec2CrUVxdc/UmJ+Qr/t8 Subject: [websec] Review of key pinning draft-07 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 20:00:03 -0000 --14dae9cc96ec639c3404e12db859 Content-Type: text/plain; charset=ISO-8859-1 Hi Chris, all, There's a few issues that need more discussion: 1) Are SubjectPublicKeyInfos the right things to pin? I suspect the easiest and safest pin for most sites would be a list of trusted CAs. Expressing this in HPKP seems difficult and error-prone. 2) Is an HTTP Response Header, sent on every response from a pinned host, the best way to assert the pin? It's not obvious why this is better than a .well-known URL, or a response that is only returned if the client asks for it. 3) Interaction with preloaded pins needs more thought, see email thread [1]. 4) Interaction with cookies needs discussion. Cookie scoping rules pose a serious problem for pinning, e.g. a pin at "example.com" could be undermined by a MITM inventing a "badguy.example.com" and using it to steal or force cookies. Comments: * Why is there a "Public-Key-Pins-Report-Only" header instead of a "report-only" directive? Most of the document is written as if there was a single "PKP header field", so a directive would make more sense. * In draft-05, client processing was changed from noting a single "expiry" value to noting two values: "Effective Pin Date" and "max-age". The previous approach was simpler, stored less data, and was more aligned with HSTS. * Section 2.3.1 fails to update the Effective Date of a noted pin when it is noted again. * Section 2.6 mandates "When a UA connects to a pinned Host, if the TLS connection has errors, the UA MUST terminate the connection without allowing the user to proceed". HSTS allows the server to specify this, so it seems unnecessary and inflexible to mandate it here. It's also unclear whether a "report-only" pin counts as a "pinned Host". * UA processing rules are confusingly spread across the document. For example, much of "2.2 Server Processing Model" is actually UA processing. Also, 2.3.1 and 2.5 describe the same process so should be combined. * Section 2.5 - Does a failed validation of a "report-only" pin count as an "error" that will inhibit noting of new pins in the connection? * Specified UA behavior with multiple header fields is contradictory: - 2.1.3: "If a Host sets both the Public-Key-Pins header and the Public-Key- Pins-Report-Only header, the UA MUST NOT enforce Pin Validation, and MUST note only the pins and directives given in the Public-Key-Pins- Report-Only header." - 2.3.1: "If a UA receives more than one PKP header field in an HTTP response message over secure transport, then the UA MUST process only the first such header field." * Section 3 - Should the failure report contain the certificates sent by the server, as well as the validated chain? Could help debugging and attack analysis. * Why is SHA1 supported? If the reason is size, why not remove it but allow the server to pin to a truncated hash (e.g. pin to the first 16 or 20 bytes of SHA256) * Should there be a list of "excluded" keys that must not appear in the "validated certificate chain"? Chrome's preloaded pinning supports this, apparently to exclude 3rd-party subCAs that might have been issued under a pinned CA. * Would it be better to use the term "pin" for the entire record associating (hostname, HPKP data), instead of calling each individual hash a "pin"? The hostname is "pinned" to the 1-of-n key set as a whole, not each key individually. * Should the header name be changed once this draft stabilizes, to ensure no bad interactions with UAs that implemented earlier drafts? Minor: * "Pinning Policy" and "Pinning Metadata" are synonyms? * 2.3.1 "Known HSTS Host" -> "Known HPKP Host" * 2.3.1 ... "or," ... "Otherwise" is confusing * 2.3.2 - are clients expected to store directives they don't understand? * 2.6 - is pin validation performed on resumed TLS connections? * 3 - can UAs provide additional JSON fields inside the report? * The term "validated certificate chain" is not defined * An IANA registry is needed for directives * The acknowledgement for "pin break codes" is ancient/irrelevant Trevor [1] http://www.ietf.org/mail-archive/web/websec/current/msg01651.html --14dae9cc96ec639c3404e12db859 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

Hi Chris, all,

There's a few issues that need more discussion:

=A01) Are SubjectPublicKeyInfos the right = things to pin? =A0I suspect the easiest and safest pin for most sites would= be a list of trusted CAs. =A0Expressing this in HPKP seems difficult and e= rror-prone.

=A02) Is an HTTP Response Header, sent on every respons= e from a pinned host, the best way to assert the pin? =A0It's not obvio= us why this is better than a .well-known URL, or a response that is only re= turned if the client asks for it.

=A03) Interaction with preloaded pins needs more though= t, see email thread [1].

=A04) Interaction with co= okies needs discussion. =A0Cookie scoping rules pose a serious problem for = pinning, e.g. a pin at "example.com= " could be undermined by a MITM inventing a "badguy.example.com" and using it to steal or for= ce cookies.

Comments:

=A0* Why is there a = "Public-Key-Pins-Report-Only" header instead of a "report-on= ly" directive? =A0Most of the document is written as if there was a si= ngle "PKP header field", so a directive would make more sense.

=A0

=A0* In draft-05, client processing was changed from not= ing a single "expiry" value to noting two values: "Effective= Pin Date" and "max-age". =A0The previous approach was simpl= er, stored less data, and was more aligned with HSTS.

=A0

=A0* Section 2.3.1 fails to update the Effective Date of= a noted pin when it is noted again.

=A0=A0

=A0* Sectio= n 2.6 mandates "When a UA connects to a pinned Host, if the TLS connec= tion has errors, the UA MUST terminate the connection without allowing the = user to proceed". =A0HSTS allows the server to specify this, so it see= ms unnecessary and inflexible to mandate it here. =A0It's also unclear = whether a "report-only" pin counts as a "pinned Host".<= /div>

=A0* UA processing rules are confusingly spread across = the document. =A0For example, much of "2.2 Server Processing Model&quo= t; is actually UA processing. =A0Also, 2.3.1 and 2.5 describe the same proc= ess so should be combined.

=A0* Section 2.5 - Does a failed validation of a "= report-only" pin count as an "error" that will inhibit notin= g of new pins in the connection?

=A0

=A0* Specified UA = behavior with multiple header fields is contradictory:

=A0- 2.1.3: "If a Host sets both the Public-Key-Pins header and t= he Public-Key-

=A0 =A0 Pins-Report-Only header, the UA MUST NOT e= nforce Pin Validation, and

=A0 =A0 MUST note only the pins and di= rectives given in the Public-Key-Pins-

=A0 =A0 Report-Only header."

=A0- 2.3.1: "If a UA = receives more than one PKP header field in an HTTP

=A0 =A0 respon= se message over secure transport, then the UA MUST=A0

=A0 =A0 pro= cess only the first such header field."

=A0

=A0* Section 3 - Should the failure report contain the c= ertificates sent by the server, as well as the validated chain? =A0Could he= lp debugging and attack analysis.

=A0* Why is SHA1= supported? =A0If the reason is size, why not remove it but allow the serve= r to pin to a truncated hash (e.g. pin to the first 16 or 20 bytes of SHA25= 6)

=A0* Should there be a list of "excluded" key= s that must not appear in the "validated certificate chain"? =A0C= hrome's preloaded pinning supports this, apparently to exclude 3rd-part= y subCAs that might have been issued under a pinned CA.

=A0

=A0* Would it be better to use the term "pin" = for the entire record associating (hostname, HPKP data), instead of calling= each individual hash a "pin"? =A0The hostname is "pinned&qu= ot; to the 1-of-n key set as a whole, not each key individually.

=A0* Should the header name be changed once this draft = stabilizes, to ensure no bad interactions with UAs that implemented earlier= drafts?

=A0

Minor:

=A0* "= Pinning Policy" and "Pinning Metadata" are synonyms?

=A0* 2.3.1 "Known HSTS Host" -> "Known HPKP Host&quo= t;

=A0* 2.3.1 ... "or," ... "Otherwise" is co= nfusing

=A0* 2.3.2 - are clients expected to store directives the= y don't understand?

=A0* 2.6 - is pin validation performed on resumed TLS connections?

=A0* 3 - can UAs provide additional JSON fields inside the report?

=A0* The term "validated certificate chain" is not defin= ed

=A0* An IANA registry is needed for directives

=A0* The ackn= owledgement for "pin break codes" is ancient/irrelevant

Trevor =A0

[1] h= ttp://www.ietf.org/mail-archive/web/websec/current/msg01651.html

--14dae9cc96ec639c3404e12db859-- From palmer@google.com Wed Jul 10 13:36:28 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C0E121F9A4B for ; Wed, 10 Jul 2013 13:36:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.253 X-Spam-Level: X-Spam-Status: No, score=-1.253 tagged_above=-999 required=5 tests=[AWL=0.725, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JLCQklFoPngH for ; Wed, 10 Jul 2013 13:36:27 -0700 (PDT) Received: from mail-vc0-x22f.google.com (mail-vc0-x22f.google.com [IPv6:2607:f8b0:400c:c03::22f]) by ietfa.amsl.com (Postfix) with ESMTP id DC20D21F9AB7 for ; Wed, 10 Jul 2013 13:36:16 -0700 (PDT) Received: by mail-vc0-f175.google.com with SMTP id hr11so5944327vcb.6 for ; Wed, 10 Jul 2013 13:36:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=0Gv/ORY5nF5bEBkpPRSrvRlrNNmjWJXfHD0ikrls7mY=; b=OhDBpzCooAS7TNa3K1c4AqAmdquaAAo/MyOSO92blBGTIKT7w2dCom+3QaUxkXF+8J i1qlqPVbjMqfRdcFKZr9zrIYHdeoMFS2HccZh4GnMRsw/42uh97cvCcR+PetctldaynP LfDAz/YT29ZYI1FjltA4DnNNZVJNCY9qLqpOyJwO/6gL//40IX/4CGOD05iH7IcBo8sk 9T70HNSUeaLpFQHB44ufO0RElhk5D2ies5aamsO+P80qnyk8JBbLWe4oSMhLNlNJWHEJ 7/oyqyWrxFTxFKnSN3GF/VxWVXiqNRNB3A3MHuJeSZXhuniK8VTOx9+G6KOm4h1D4U5g lzPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=0Gv/ORY5nF5bEBkpPRSrvRlrNNmjWJXfHD0ikrls7mY=; b=bMbcPt/f9SE2Smflo8cVN8x0SAoZFg5UuvOnzWPt5fdLumnQNMVC8hwFK6mDg1mDEF RfesqHDJ4IDrK2PgnwcfrUhUX8ufRLTbyclawamWG5cNdg7eFxSqk4OYkE9jIW500GEM rXeS6ODIMBUkANsvBxbNXDM9Ox5aMvCp80bAiOat0n5Zf++G0505ZK2SjcpjTDh650T8 UP7nwl9rcltmIuveGPMp6ozcvpLT+MwG6yk+Bfa1tW1yJPmiDbAluTHAn4pobwOibmqE tU4DCLBo9rEkh3SNuDWuk9LucINwtvcvkXybmkSM2VFZc928xQczv24vFbgv0qiSj9/R +crQ== MIME-Version: 1.0 X-Received: by 10.52.25.69 with SMTP id a5mr16785395vdg.99.1373488574788; Wed, 10 Jul 2013 13:36:14 -0700 (PDT) Received: by 10.220.108.135 with HTTP; Wed, 10 Jul 2013 13:36:14 -0700 (PDT) In-Reply-To: References: <51C7F08F.2090205@gondrom.org>

Date: Wed, 10 Jul 2013 13:36:14 -0700 Message-ID: From: Chris Palmer To: Joseph Bonneau , ietf-privacy@ietf.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQkVQOlxZAknUkS/oKfSmUj0EPOTGAPugce39DvxEFBqqRprwECcOkX81cTwjPJfzAnnnSQtzDZgFrjAG5yyee5/u93sQfro8AKQ6Bwa3ePDanmEubKeva7N+Jw9Q2iOc1VOwke2MFdinGy86mTfSQwXsiTuVtBdXHrd9RLCs8LnMAF7snP4IGH4mAScJw6gmmU0JXDZ Cc: IETF WebSec WG Subject: Re: [websec] HPKP and privacy X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 20:36:28 -0000 On Tue, Jul 9, 2013 at 3:54 PM, Joseph Bonneau wrote: >> Yes. Unfortunately, I don't see a way to have both HPKP and automatic >> defense against this kind of super-cookie. The problem exists for >> HSTS, too. > > I agree, but there are two things user agents SHOULD do at a minimum: (a) > clear pins for domains whenever other domain-specific information is clea= red > for privacy reasons (delete history since time N, or private browsing mod= e) We currently have decided NOT to do this for HSTS. You can see the somewhat tortured history of the behavior in Chrome here: https://code.google.com/p/chromium/issues/detail?id=3D104935 Chrome's Incognito mode is an easy way to get Chrome to not persistently store any local state (thus defeating a wide range of super-cookie techniques, including but not limited to ETag, HSTS, HPKP, cache hit/miss timing). If you are concerned about privacy side-effects from local state, use Incognito. (Also, it behooves me to refer to the official Incognito documentation: https://support.google.com/chrome/answer/95464?hl=3Den) > (b) not store pins in cases where cookies will not be rejected for privac= y > reasons (such as third-party cookie blocking policies). I don't think the= se > are obvious to implementers so I would like to seem them in the spec. I'm not sure what you mean here. Did you mean to write, "not store pins in cases where cookies WILL be rejected for privacy reasons"? Note that the HSTS and HPKP super-cookie is primarily useful for *recovering* a previously-set but then deleted cookie =E2=80=94 it does not= by itself allow the server to *easily* correlate requests, only to laboriously recover a thing (like a cookie) that does. So if the UA is blocking (say) third-party cookies anyway, the HSTS/HPKP super-cookie technique might not work too well for the third-party adversary. Or at least not as well as other techniques that are already available. I believe we are in the privacy margins here. Incognito mitigates the concern; blocking third-party cookies somewhat mitigates the concern; N-host HSTS/HPKP super-cookies are (probably? I think?) not the most efficient of the many available super-cookie techniques; I assume everyone likes the report-uri feature and that we don't want to get rid of it; et c. As far as I know, the ETag/Last-Modified super-cookie technique is unsolved (http://www.nikcub.com/posts/persistant-and-unblockable-cookies-using-http-= headers), and much more straightforward for implicit-tracking adversaries to use. From trevp@trevp.net Wed Jul 10 14:32:48 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DF5221F9DBC for ; Wed, 10 Jul 2013 14:32:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.976 X-Spam-Level: X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EFUg0DjxQUmu for ; Wed, 10 Jul 2013 14:32:43 -0700 (PDT) Received: from mail-we0-f171.google.com (mail-we0-f171.google.com [74.125.82.171]) by ietfa.amsl.com (Postfix) with ESMTP id 0FBDA21F9D80 for ; Wed, 10 Jul 2013 14:32:42 -0700 (PDT) Received: by mail-we0-f171.google.com with SMTP id m46so6309244wev.16 for ; Wed, 10 Jul 2013 14:32:42 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=hl0d6Xb9Ljw/b27lpwVyf1roSddfO5S1HBwUSG44QRc=; b=CIju2mWnzLQtVp08EDz/iF/Ib22g4CuZcilfKGv8B461mzfkOUZa1ODGoGwcpfLtpJ D58gmbz5HrWumeC8XXQKluhrL32eHrft5s3/MErArhz3D2KcBcb4GFZbTmuKilLuYOrt aq8Qw/7l+PZ+eQiDBlBETd2UNL0/bcX3eDQkUMKH6XtLbxN/mxR+bKI8rfKc6ZyWWQNp vOcIkGhKWwA8KfiMQvTRkUNVWUofHjq+Pcxwj7/dTbzwvSKPr4A0y4yO96TxMrjCURHs AWlt3yh+pVCxuL6+Ccxv+O0WPUPa8xLT9eTG7hg4HDU8KWsMmbBeOqikRSi6AGKLuqRB XGsg== MIME-Version: 1.0 X-Received: by 10.180.189.5 with SMTP id ge5mr6449083wic.48.1373491961966; Wed, 10 Jul 2013 14:32:41 -0700 (PDT) Received: by 10.216.212.9 with HTTP; Wed, 10 Jul 2013 14:32:41 -0700 (PDT) X-Originating-IP: [50.37.26.202] In-Reply-To: <30F10539-AE45-48C6-A1ED-4914BDFB4156@checkpoint.com> References: <20130708052654.13662.45967.idtracker@ietfa.amsl.com> <30F10539-AE45-48C6-A1ED-4914BDFB4156@checkpoint.com> Date: Wed, 10 Jul 2013 14:32:41 -0700 Message-ID: From: Trevor Perrin To: Yoav Nir Content-Type: multipart/alternative; boundary=001a11c2239a7ec31b04e12f0415 X-Gm-Message-State: ALoCoQneRLwng0GORdCw0KjKo97FUCURHolnc9pZsHCMSPC53rRmflGQvNRhQpP6bHltt4Utvc/9 Cc: IETF WebSec WG Subject: Re: [websec] Call for adoption: draft-ietf-websec-session-continue-prob-00 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 21:32:48 -0000 --001a11c2239a7ec31b04e12f0415 Content-Type: text/plain; charset=ISO-8859-1 On Sun, Jul 7, 2013 at 10:37 PM, Yoav Nir wrote: > Hi all > > This has been submitted with a websec filename, but note that this is not > (yet) on our charter. > > At the Orlando meeting, we discussed some of the security issues with > keeping HTTP sessions using cookies. There was consensus in the room that > this is a problem that needs solving. Nicolas Williams, Phillip > Hallam-Baker, and Yaron Sheffer volunteered to write a problem statement, > and this is it. The message we got from our AD is that first we should show > that the working group has the time and energy to work on solving this > problem, and then we can add this to our charter. > > So please have a look and this document, and answer the following: > - Is this a good starting point for the problem statement? > Hmm, it's surprising there's no discussion of cookie scoping problems like: - "cookie stealing" via MITM-created subdomains [1], or - "cookie forcing" via attacker-controlled sibling or cousin domains [2] These attacks seems particularly relevant to this WG, since they can subvert hostname-specified security like HSTS or HPKP. Also: despite mentioning a few proposals, there's no mention of ChannelID / Channel-bound cookies [3]. ChannelID seems to solve these problems, seems more polished than other proposals, and apparently is being experimentally deployed (see Chrome | Preferences | Cookies and site data | "google.com" or "gmail.com"). - Will you be willing to review the problem statement? > - Will you be willing to read multiple solution proposals to help the > working group choose? > - Will you be willing to review the solution document? > I'd be more interested in websec taking this on if someone could argue why ChannelID is *not* the right solution, and had some ideas how to do better. Trevor [1] http://tools.ietf.org/html/rfc6265 Section 4.1.2.3 WARNING https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies Scope http://tools.ietf.org/html/rfc6797 Section 14.4 [2] http://tools.ietf.org/html/rfc6265 Sections 4.1.2.5 and 8.6 http://scarybeastsecurity.blogspot.com/2008/11/cookie-forcing.html https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies Overwriting cookies [3] http://tools.ietf.org/html/draft-balfanz-tls-channelid-01 --001a11c2239a7ec31b04e12f0415 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

= On Sun, Jul 7, 2013 at 10:37 PM, Yoav Nir <ynir@checkpoint.com> wrote:

Hi all

This has been submitted with a websec filename, but note that this is not (= yet) on our charter.

At the Orlando meeting, we discussed some of the security issues with keepi= ng HTTP sessions using cookies. There was consensus in the room that this i= s a problem that needs solving. Nicolas Williams, Phillip Hallam-Baker, and= Yaron Sheffer volunteered to write a problem statement, and this is it. Th= e message we got from our AD is that first we should show that the working = group has the time and energy to work on solving this problem, and then we = can add this to our charter.

So please have a look and this document, and answer the following:
=A0- Is this a good starting point for the problem statement?

Hmm, it's surprising there's no discus= sion of cookie scoping problems like:
=A0- "cookie steal= ing" via MITM-created subdomains [1], or=A0

=A0- "cookie forcing" via attacker-controlled sibling or cou= sin domains [2]=A0

These attacks seems particularl= y relevant to this WG, since they can subvert hostname-specified security l= ike HSTS or HPKP.

Also: =A0despite mentioning a few proposals, there= 's no mention of ChannelID / Channel-bound cookies [3]. =A0
<= br>
ChannelID seems to solve these problems, seems more polished = than other proposals, and apparently is being experimentally deployed (see = Chrome | Preferences | Cookies and site data | "google.com" or "gmail.co= m").

=A0- Will you be willing to review the problem statement?
=A0- Will you be willing to read multiple solution proposals to help the wo= rking group choose?
=A0- Will you be willing to review the solution document?
<= div>

I'd be more interested in websec taking this on if s= omeone could argue why ChannelID is *not* the right solution, and had some = ideas how to do better.

Trevor

[1]

http://tool= s.ietf.org/html/rfc6265 =A0Section 4.1.2.3 WARNING

https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_fo= r_cookies =A0Scope

http://tools.ietf.org/h= tml/rfc6797 =A0Section 14.4

[2]

http://tools.ietf.org/html/rfc62= 65 =A0Sections 4.1.2.5 and 8.6

http://scarybeastsecurity.blogspot.com/2008/11/cookie-forcing.html=

https://code.google.com/p/browsersec/wiki/Pa= rt2#Same-origin_policy_for_cookies =A0Overwriting cookies

[3] http://tools.ietf.org/html/draft-balfanz-tls-channelid-0= 1

--001a11c2239a7ec31b04e12f0415-- From nico@cryptonector.com Wed Jul 10 14:39:48 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58C5021F9C8C for ; Wed, 10 Jul 2013 14:39:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.074 X-Spam-Level: X-Spam-Status: No, score=-2.074 tagged_above=-999 required=5 tests=[AWL=-0.097, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ellJm2Teqe4 for ; Wed, 10 Jul 2013 14:39:43 -0700 (PDT) Received: from homiemail-a34.g.dreamhost.com (caiajhbdcbbj.dreamhost.com [208.97.132.119]) by ietfa.amsl.com (Postfix) with ESMTP id 2AF5B11E8124 for ; Wed, 10 Jul 2013 14:39:43 -0700 (PDT) Received: from homiemail-a34.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a34.g.dreamhost.com (Postfix) with ESMTP id A900910060 for ; Wed, 10 Jul 2013 14:39:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=SdTWZklFjq5iN7VJBH8C Sv1f7hk=; b=J5jOlsUDvEi4Cga73NGKBsnjlacR0K8Aituk1R9NwMnx9cj//RZd mkJDamvePEVoWldrPPp1wENGINb/nRZASR4h/vNGUI1C1YV7LAuxLo2D9C/1wkli C4rn3MR2vRbO1pufHUj/qUBGlFY0TcLBqzr8iJ/7KUK1UMrkPID4QPs= Received: from mail-wg0-f53.google.com (mail-wg0-f53.google.com [74.125.82.53]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a34.g.dreamhost.com (Postfix) with ESMTPSA id 1B1CB10058 for ; Wed, 10 Jul 2013 14:39:41 -0700 (PDT) Received: by mail-wg0-f53.google.com with SMTP id y10so6517678wgg.32 for ; Wed, 10 Jul 2013 14:39:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=46djknWE52f7NI88oJzMe3zx2Hq1XfjjyKHsPcoYYIc=; b=DLHKks75hsgKeCdeRST15fRhXmjNTVViwTaovd25EEmxKi6YrXBICJZB0AOUnqtB0Z HX+iO0M7+Z7P9hKLXGHYLvpBTzIG3zAZislgfC/qlDKbM+0zQre8D2UQNpWEUJCukoef GPXDSxU1YwhlH8jIhsl0rSPn2TqoptOIe6np8xr7+pyZ447QgoA9KYmYmxMcwzH0rhw9 8GFj821IUK1MAwMNOeZYbknFZ3Xc04Cl7DJ8lq+GGVqrh8buZiEG+tKoFFLjLX2qJOpS yqpBtLN5dWwiDtgMpSCwaK2/0xVaRJR9/wlEzfLi3xvpq/dyEJMwyetyPKdAn4OIPnio 8P2Q== MIME-Version: 1.0 X-Received: by 10.194.240.169 with SMTP id wb9mr18589554wjc.90.1373492380443; Wed, 10 Jul 2013 14:39:40 -0700 (PDT) Received: by 10.217.38.138 with HTTP; Wed, 10 Jul 2013 14:39:40 -0700 (PDT) In-Reply-To: References: <20130708052654.13662.45967.idtracker@ietfa.amsl.com> <30F10539-AE45-48C6-A1ED-4914BDFB4156@checkpoint.com> Date: Wed, 10 Jul 2013 16:39:40 -0500 Message-ID: From: Nico Williams To: Trevor Perrin Content-Type: text/plain; charset=UTF-8 Cc: IETF WebSec WG Subject: Re: [websec] Call for adoption: draft-ietf-websec-session-continue-prob-00 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 21:39:48 -0000 On Wed, Jul 10, 2013 at 4:32 PM, Trevor Perrin wrote: > Hmm, it's surprising there's no discussion of cookie scoping problems like: > - "cookie stealing" via MITM-created subdomains [1], or > - "cookie forcing" via attacker-controlled sibling or cousin domains [2] There's minimal discussion of the concept of "origin"; it clearly needs more text. I'd love to receive some suggestions for such text :) > Also: despite mentioning a few proposals, there's no mention of ChannelID / > Channel-bound cookies [3]. > > ChannelID seems to solve these problems, seems more polished than other > proposals, and apparently is being experimentally deployed (see Chrome | > Preferences | Cookies and site data | "google.com" or "gmail.com"). There's definitely mention of channel binding. Channel bound cookies used over HTTPS would meet the requirements of this spec, except for the CRIME/BEAST resistance part. I'm not sure that we should mandate CRIME/BEAST resistance -- TLS should arguably be able to resist such attacks. But it will take a long time to deploy TLS that does, and that's what makes it appealing to have CRIME/BEAST resistance in the session continuation protocol. >> - Will you be willing to review the problem statement? >> - Will you be willing to read multiple solution proposals to help the >> working group choose? >> - Will you be willing to review the solution document? > > I'd be more interested in websec taking this on if someone could argue why > ChannelID is *not* the right solution, and had some ideas how to do better. See above. Nico -- From trevp@trevp.net Wed Jul 10 14:54:43 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41DA911E8135 for ; Wed, 10 Jul 2013 14:54:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.976 X-Spam-Level: X-Spam-Status: No, score=-2.976 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UoZ-+uuVqyzD for ; Wed, 10 Jul 2013 14:54:37 -0700 (PDT) Received: from mail-we0-f179.google.com (mail-we0-f179.google.com [74.125.82.179]) by ietfa.amsl.com (Postfix) with ESMTP id 45C9011E8132 for ; Wed, 10 Jul 2013 14:54:31 -0700 (PDT) Received: by mail-we0-f179.google.com with SMTP id w59so6197494wes.24 for ; Wed, 10 Jul 2013 14:54:24 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=r9dJb1ylbukEgIKSBKl5+6R8ZaxnJhJ6Ti+rnHommPY=; b=GOjVGPCpDaTeTpKzmzPQ0guO+wS1AgyWsEksT3D80rBuAQZNQtS6BxJy7UV/mHEwpw hBSr3ARdjFvzGQm6VDJ8rkbn+lljxkvsgruzcEiqteOVooYWroe4lOhDkpndQEv/S74K pKu87QWe9r6ccsktNU3uKHRfatXD9BOFhgusRrfWUyGV/5zHwwsFr7KhzM5olGwb+Wyq 2854oSNFCnf/uxbceEsO3qbTD1Q5tBn6qNeaunlhu+En9D5KhE80B5/lRY01Kj5oj8ys zACoaZZrxIpJGWhYj5SOj135h74KO5+uX3bxGwzonoKZM/1DuESEjUq3fuK8nYgR5j7e 0ceg== MIME-Version: 1.0 X-Received: by 10.194.24.40 with SMTP id r8mr19122565wjf.7.1373493264501; Wed, 10 Jul 2013 14:54:24 -0700 (PDT) Received: by 10.216.212.9 with HTTP; Wed, 10 Jul 2013 14:54:24 -0700 (PDT) X-Originating-IP: [50.37.26.202] In-Reply-To: References: <20130708052654.13662.45967.idtracker@ietfa.amsl.com> <30F10539-AE45-48C6-A1ED-4914BDFB4156@checkpoint.com>

Date: Wed, 10 Jul 2013 14:54:24 -0700 Message-ID: From: Trevor Perrin To: Nico Williams Content-Type: multipart/alternative; boundary=047d7b5d352821e24404e12f5226 X-Gm-Message-State: ALoCoQkH1eas8E5F/ZOq0BkHynTNgM9NSLJsqIwYjnlr9xHtCLcwdLO/bZfGadMUosu348qK7VWf Cc: IETF WebSec WG Subject: Re: [websec] Call for adoption: draft-ietf-websec-session-continue-prob-00 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 21:54:43 -0000 --047d7b5d352821e24404e12f5226 Content-Type: text/plain; charset=ISO-8859-1 On Wed, Jul 10, 2013 at 2:39 PM, Nico Williams wrote: > On Wed, Jul 10, 2013 at 4:32 PM, Trevor Perrin wrote: > > Hmm, it's surprising there's no discussion of cookie scoping problems > like: > > - "cookie stealing" via MITM-created subdomains [1], or > > - "cookie forcing" via attacker-controlled sibling or cousin domains [2] > > There's minimal discussion of the concept of "origin"; it clearly > needs more text. I'd love to receive some suggestions for such text > :) I'm not volunteering! It's complicated... > > Also: despite mentioning a few proposals, there's no mention of > ChannelID / > > Channel-bound cookies [3]. > > > > ChannelID seems to solve these problems, seems more polished than other > > proposals, and apparently is being experimentally deployed (see Chrome | > > Preferences | Cookies and site data | "google.com" or "gmail.com"). > > There's definitely mention of channel binding. Channel bound cookies > used over HTTPS would meet the requirements of this spec, except for > the CRIME/BEAST resistance part. > Are you sure about that? I meant "channel-bound cookies" as defined in the ChannelID draft. Even if an attacker stole such cookies via BEAST / CRIME / whatever, the cookies would be unusable without the browser's ChannelID private key for that site. > I'm not sure that we should mandate CRIME/BEAST resistance -- TLS > should arguably be able to resist such attacks. But it will take a > long time to deploy TLS that does, and that's what makes it appealing > to have CRIME/BEAST resistance in the session continuation protocol. > Hmm, haven't browsers already deployed BEAST / CRIME / etc countermeasures? I actually think that TLS-layer fixes to TLS problems are going to be faster, easier, and more comprehensive than trying to get thousands of websites to change how they manage sessions. But the cookie-scoping problems will still exist, so cookies definitely need improvement. For that, ChannelID still seems like the best proposal out there. Trevor --047d7b5d352821e24404e12f5226 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

= On Wed, Jul 10, 2013 at 2:39 PM, Nico Williams <nico@cryptonector.com<= /a>> wrote:

On Wed, Jul 10, 2013 at 4:= 32 PM, Trevor Perrin <trevp@trevp.net= > wrote:
> Hmm, it's surprising there's no discussion of cookie scoping p= roblems like:
> =A0- "cookie stealing" via MITM-created subdomains [1], or > =A0- "cookie forcing" via attacker-controlled sibling or cou= sin domains [2]

There's minimal discussion of the concept of "origin"; = it clearly
needs more text. =A0I'd love to receive some suggestions for such text<= br> :)

I'm not volunteering! =A0It= 9;s complicated...

=A0

> Also: =A0despite mentioning a few proposals, there's no mention of= ChannelID /
> Channel-bound cookies [3].
>
> ChannelID seems to solve these problems, seems more polished than othe= r
> proposals, and apparently is being experimentally deployed (see Chrome= |
> Preferences | Cookies and site data | "google.com" or "gmail.com").

There's definitely mention of channel binding. =A0Channel bound c= ookies
used over HTTPS would meet the requirements of this spec, except for
the CRIME/BEAST resistance part.

= Are you sure about that? =A0I meant "channel-bound cookies" as de= fined in the ChannelID draft. =A0Even if an attacker stole such cookies via= BEAST / CRIME / whatever, the cookies would be unusable without the browse= r's ChannelID private key for that site.

=A0

I'm not sure that we should mandate CRIME/BEAST resistance -- TLS
should arguably be able to resist such attacks. =A0But it will take a
long time to deploy TLS that does, and that's what makes it appealing to have CRIME/BEAST resistance in the session continuation protocol.

Hmm, haven't browsers already deplo= yed BEAST / CRIME / etc countermeasures?

I actually think that TLS-layer fixes to TLS problems are going to be faste= r, easier, and more comprehensive than trying to get thousands of websites = to change how they manage sessions.

But the cookie-scoping problems will still exist, so cookies definitely nee= d improvement. =A0For that, ChannelID still seems like the best proposal ou= t there.

Trevor

--047d7b5d352821e24404e12f5226-- From nico@cryptonector.com Wed Jul 10 15:01:15 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08C9D11E8131 for ; Wed, 10 Jul 2013 15:01:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.07 X-Spam-Level: X-Spam-Status: No, score=-2.07 tagged_above=-999 required=5 tests=[AWL=-0.093, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j5g+qXST1tHU for ; Wed, 10 Jul 2013 15:01:10 -0700 (PDT) Received: from homiemail-a89.g.dreamhost.com (mailbigip.dreamhost.com [208.97.132.5]) by ietfa.amsl.com (Postfix) with ESMTP id 1C77611E811D for ; Wed, 10 Jul 2013 15:01:10 -0700 (PDT) Received: from homiemail-a89.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a89.g.dreamhost.com (Postfix) with ESMTP id 4A9B5318072 for ; Wed, 10 Jul 2013 15:01:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=6pZhc0n4ifOjwy20cd2L jkq42Cc=; b=JKLEM17tXhDNjUkxFsFv0BYOI/K4m2Y9azZ/ZQJWfXFTMr09eJJ6 8886lUGgQVTFG8k/KRdtCa6nbvFXN4ZSbPP2GElYulRAYnG013dD7HlYbDcwVU0H 7ywn6SuKPJNdlDT2g8KtloRRbMk8QkFtKrWEVN7g7ejfWyeelLarR4w= Received: from mail-we0-f181.google.com (mail-we0-f181.google.com [74.125.82.181]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a89.g.dreamhost.com (Postfix) with ESMTPSA id E63E2318065 for ; Wed, 10 Jul 2013 15:01:02 -0700 (PDT) Received: by mail-we0-f181.google.com with SMTP id p58so6433947wes.12 for ; Wed, 10 Jul 2013 15:01:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=RwsWjpEtL6RKwdY6/YMDnHqwY9EEbNmKWJGZaWhtwbk=; b=mKT+dvR3oZPMuk/q5aBh9lbAi+CKZw0lXdEHw0I7rX4KpbHDixb1ST/mVJT7QCzycl EC352UuzgbBmj4ggNgK6oSkcFocdhgZ5jaVlDspV9+cV5LmNrRfIkEliCL5qGYk/m+Yo scxKaXh7897x0dndU6tQVUk99J5XYua4C4DSYDF4Z0z3cVUYY15NbIXUGCRLYo8V0Tnn p/8sNPLlOZVgz0TUKUuoMPH69JdJVR4ItPoQdyWBfw+sG0ksGaGFDqfoJIwkq+0XvFQT hgWkGJO1rtGs2q97yH4XlRFqHzFnZSWUFVQ2N3jjIs1XnRhDTuBajnHAMMmH3eFq4rLd 6w1A== MIME-Version: 1.0 X-Received: by 10.180.74.162 with SMTP id u2mr6847766wiv.36.1373493661339; Wed, 10 Jul 2013 15:01:01 -0700 (PDT) Received: by 10.217.38.138 with HTTP; Wed, 10 Jul 2013 15:01:01 -0700 (PDT) In-Reply-To: References: <20130708052654.13662.45967.idtracker@ietfa.amsl.com> <30F10539-AE45-48C6-A1ED-4914BDFB4156@checkpoint.com>

Date: Wed, 10 Jul 2013 17:01:01 -0500 Message-ID: From: Nico Williams To: Trevor Perrin Content-Type: text/plain; charset=UTF-8 Cc: IETF WebSec WG Subject: Re: [websec] Call for adoption: draft-ietf-websec-session-continue-prob-00 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 22:01:15 -0000 On Wed, Jul 10, 2013 at 4:54 PM, Trevor Perrin wrote: > On Wed, Jul 10, 2013 at 2:39 PM, Nico Williams > wrote: >> There's minimal discussion of the concept of "origin"; it clearly >> needs more text. I'd love to receive some suggestions for such text >> :) > > I'm not volunteering! It's complicated... Bummer. It's complicated. >> There's definitely mention of channel binding. Channel bound cookies >> used over HTTPS would meet the requirements of this spec, except for >> the CRIME/BEAST resistance part. > > Are you sure about that? I meant "channel-bound cookies" as defined in the > ChannelID draft. Even if an attacker stole such cookies via BEAST / CRIME / > whatever, the cookies would be unusable without the browser's ChannelID > private key for that site. Ah, right, excuse me. I'd responded without swapping in enough of the channel bound cookie context. Yes, I see that we need to adjust this spec to cover that. The intention is not to exlcude channel bound cookies. I'll fix it. > But the cookie-scoping problems will still exist, so cookies definitely need > improvement. For that, ChannelID still seems like the best proposal out > there. That context I still don't have swapped in, or maybe I've never had it. Nico -- From palmer@google.com Wed Jul 10 16:01:15 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 682F721F972C for ; Wed, 10 Jul 2013 16:01:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.495 X-Spam-Level: X-Spam-Status: No, score=-1.495 tagged_above=-999 required=5 tests=[AWL=0.483, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sFQxOG3tK5G1 for ; Wed, 10 Jul 2013 16:01:15 -0700 (PDT) Received: from mail-vb0-x235.google.com (mail-vb0-x235.google.com [IPv6:2607:f8b0:400c:c02::235]) by ietfa.amsl.com (Postfix) with ESMTP id CD5EE21F92B8 for ; Wed, 10 Jul 2013 16:01:07 -0700 (PDT) Received: by mail-vb0-f53.google.com with SMTP id p12so24439vbe.12 for ; Wed, 10 Jul 2013 16:01:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=tIbLrqYVIf1Vt63HlKKSRWgSUzaHTHqbHzyX4TP8bv4=; b=fyWpdcRuMvageVJRhCa4pieP58MG/lPJLU6jSHOMJd9YwjNnYGDMU6O5OAgeMGZjA2 LrWFWMago0lH2ZsN2yhRf6FFm/on+AGUNmuGC5IuRekw4F/uNclKy4noEbWLNgUy2SUV Vihl0ypRb6OrwCkdQTq8W9UsS9OjwQWHMNHEY7cUpDQda2khyi1USanS2g0H/hD3AGZW xq6qvUZoDMJhptwCSOCVf+QxJbmZv3+z2h7fPS5GYDWzCI0xyu40nCW4jbPhZqbo6lSf EfYRB7mXO00TOdjqk1p2X/TRlvKvbnbOTT92RRbFHehzLnxlnS2kpbomwf3fuzimdwUS Rq6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=tIbLrqYVIf1Vt63HlKKSRWgSUzaHTHqbHzyX4TP8bv4=; b=OcKHpMDqdsJE0OvMcFnUmXyKHrZpG7qqBWkfZlXaIgFJelOZ+0K/2dSHGb/UM2z8R0 qYDGicwVhjh5XSvv8n4e7GMrU6Cs01fI/jUa/beWe5WUwyfbn1vLMpbMfutvJNC7qYR+ PtwLWHgnxXnxGX2FZvF4ZyDFcWI+vBQqUJs+Nejcpdd+tuRbgUaG+zZQUdFDVTja2tqB p+xZpxwBY9tQKv0oJveSfuO3ySArZOpdWhLM7a0xSdpydX6lAcQQep+EYm/oGMPbjXFA h6kdVhjUW/8n7v5mWint0tQiNFE0eKuJTXnXJB6FyZzzcWVhnwOvZbwCSzGFHpyAWx1I X2Xw== MIME-Version: 1.0 X-Received: by 10.52.65.10 with SMTP id t10mr17041997vds.90.1373497263157; Wed, 10 Jul 2013 16:01:03 -0700 (PDT) Received: by 10.220.108.135 with HTTP; Wed, 10 Jul 2013 16:01:02 -0700 (PDT) In-Reply-To: <1F476385-849E-41F0-9B8C-A69A9C36FA71@checkpoint.com> References: <51DAF2DA.8050708@isode.com> <1F476385-849E-41F0-9B8C-A69A9C36FA71@checkpoint.com> Date: Wed, 10 Jul 2013 16:01:02 -0700 Message-ID: From: Chris Palmer To: Yoav Nir Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQm4iM5w0Bd13BvgGvpa2axX2l/JMlvMoAT8eZZZ1U2AFdj0ScO3e+GTk7/hZwDV64Mfz15roNCWlYTu7o7lLvACbu96/rFIUhJ2nsGlfCsN3yDlYrsNEh+rgZEHw1bl+1itOhkTToPRWoNNuc4eKy4Imv+knNqF7m1+Ahi/RA1k6wQsP3SL1KHmoylvhjukqnedw7SH Cc: IETF WebSec WG Subject: Re: [websec] Review of draft-ietf-websec-key-pinning-06 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Jul 2013 23:01:15 -0000 On Mon, Jul 8, 2013 at 9:57 PM, Yoav Nir wrote: > 3rd Para: "If the Public-Key-Pins response header field does not meet all three of these criteria, the UA MUST NOT note the host as a Pinned Host." > > 4th Para: "The UA MUST ignore Public-Key-Pins response header fields received on connections that do not meet the first criterion." Oh, right. Yes, I think we can just delete that 4th paragraph. Done in an upcoming -08. > The standard way is to add a sentence like: > [RFC EDITOR: PLEASE REMOVE THIS SECTION] Done. Thanks! From ynir@checkpoint.com Thu Jul 11 05:50:57 2013 Return-Path: X-Original-To: websec@ietfa.amsl.com Delivered-To: websec@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33A3B21F93BA for ; Thu, 11 Jul 2013 05:50:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.598 X-Spam-Level: X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DGzMz7+gxHEJ for ; Thu, 11 Jul 2013 05:50:49 -0700 (PDT) Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 15F9E21F9703 for ; Thu, 11 Jul 2013 05:50:48 -0700 (PDT) Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id r6BCogF4027320; Thu, 11 Jul 2013 15:50:43 +0300 X-CheckPoint: {51DEAA22-0-1B221DC2-1FFFF} Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.48]) by IL-EX10.ad.checkpoint.com ([169.254.2.91]) with mapi id 14.02.0342.003; Thu, 11 Jul 2013 15:50:41 +0300 From: Yoav Nir To: Trevor Perrin Thread-Topic: [websec] Call for adoption: draft-ietf-websec-session-continue-prob-00 Thread-Index: AQHOe51K2fjJqAHy/0+f/EfC93QcepleQH6AgAEAfoA= Date: Thu, 11 Jul 2013 12:50:40 +0000 Message-ID: References: <20130708052654.13662.45967.idtracker@ietfa.amsl.com> <30F10539-AE45-48C6-A1ED-4914BDFB4156@checkpoint.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [91.90.139.159] x-kse-antivirus-interceptor-info: protection disabled x-cpdlp: 110607fcfa15792bbed58b10affc8453c667d13158 Content-Type: multipart/alternative; boundary="_000_D97453ED23524273B8AF0DAA00C1E555checkpointcom_" MIME-Version: 1.0 Cc: IETF WebSec WG Subject: Re: [websec] Call for adoption: draft-ietf-websec-session-continue-prob-00 X-BeenThere: websec@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Web Application Security Minus Authentication and Transport List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: ,