Re: HTTP Alternative Services: What about TLS client certificates? from Ilari Liusvaara on 2015-03-30 (ietf-http-wg@w3.org from January to March 2015)

From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Date: Mon, 30 Mar 2015 20:26:22 +0300
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Jann Horn <jann@thejh.net>, ietf-http-wg@w3.org
Message-ID: <20150330172622.GA15624@LK-Perkele-VII>

On Mon, Mar 30, 2015 at 10:10:20AM -0700, Roy T. Fielding wrote:
> On Mar 29, 2015, at 2:12 PM, Jann Horn wrote:
> 
> > Hello,
> > I've looked through draft-ietf-httpbis-alt-svc-04 and didn't see anything that
> > explicitly forbids the use of TLS client certificates. The threat scenario I
> > have in mind is this:
> > 
> > Alice is connected to the internet through a connection on which Mallory
> > performs a MITM attack. Alice has a TLS client certificate that grants her
> > access to sensitive information at https://bank.com/. There are no HSTS rules
> > for bank.com.
> > 
> > Alice browses to http://news.com, a website to which she does not need a TLS
> > connection. Mallory injects the following HTML snippet into the response:
> > 
> >    <iframe src="http://bank.com"></iframe>
> > 
> > Alice's browser now requests http://bank.com. Mallory intercepts the request
> > and replies with a page containing malicious JavaScript code and the HTTP
> > header 'Alt-Svc: h2=":443"'.
> > The malicious JavaScript code now triggers further requests that the browser
> > performs to bank.com via TLS, authenticating Alice using the
> > non-origin-specific TLS client certificate. The server at https://bank.com
> > grants access to the client based on the TLS Client Certificate and
> > returns sensitive data, but the origin on the client is still http://bank.com,
> > effectively allowing the attacker to bypass the protocol part of SOP
> > restrictions on XHR.
> 
> Why is the origin on the client still http://bank.com/ when it is
> deliberately making requests to https://bank.com:443/ ?

Because ALT-SVC does not change origin, only transport.

The requests are marked: The requests have :scheme=http, instead of
normal :scheme=https. And this is the reason for HTTP/2 requirement for
OE: One can't reliably mark such requests for HTTP/1.X.
 
> The client isn't being fooled into making those requests -- it is
> choosing to make use of the Alt-Svc information to go to a different
> origin.  In short, the JavaScript code should be prevented at that point
> because the browser needs to get new code from the same origin, just
> like a redirect.

Redirects change origin, ALT-SVC does not.


-Ilari

Received on Monday, 30 March 2015 17:26:52 UTC