W3C home > Mailing lists > Public > public-bpwg-ct@w3.org > November 2008

Thoughts on HTTPS Links rewriting

From: Francois Daoust <fd@w3.org>
Date: Fri, 14 Nov 2008 18:37:29 +0100
Message-ID: <491DB759.80701@w3.org>
To: public-bpwg-ct <public-bpwg-ct@w3.org>

A few thoughts on section 4.2.8.2 HTTPS Links rewriting:
http://www.w3.org/2005/MWI/BPWG/Group/TaskForces/CT/editors-drafts/Guidelines/081107#sec-https-link-rewriting

I don't think we'll receive much more comments from external people at 
this point, and think we should just move on with what we already have.


Link with the IETF TLS Task Force
-----
I sent an email to the IETF TLS task force:
  http://www.ietf.org/mail-archive/web/tls/current/msg02968.html

The only reply confirmed that "the server cannot detect the attack 
(unless of course he requests client certificates) via the TLS protocol, 
the client could. The server could detect the attack by noticing few IPs 
that make many different transactions".

I also exchanged a few private messages with persons subscribed to that 
mailing-list. The reason I mention this is that one person mentioned 
that the "Via" header that we say the CT-proxy MUST add in this case may 
not be a good idea for three reasons:
  1. we are trying to use the "Via" to advertise a security issue, and 
it's always better to be explicit.
  2. the proxy is not truly acting as a proxy anymore. The request 
originates from the proxy in that case, so it's not exactly a "Via".
  3. the server could be composed of a proxy that receives the request, 
decrypts it and passes it to another server. In that case, the 
server-side proxy may add a "Via" header. The problem is not that it may 
override the one set by the CT-proxy (it should properly complete the 
header if it's already there), but that there is a case where the final 
server receives a request with a "Via" HTTP header, even when the 
request is made in HTTPS. From an external point of view, it's still in 
the server black box.

I agree, but do not see any other real possibility at this point, apart 
from creating a new explicit HTTP header field "Man-in-the-middle", but 
I don't think that's such a good idea.


Last last call comment
-----
Thomas sent an additional comment to warn about cases where rewriting 
HTTPS links break :
http://lists.w3.org/Archives/Public/public-bpwg-comments/2008OctDec/0002.html

I just sent a reply with a view to getting a more precise view on what 
this comment refers to. AFAICT, it is focused on Web Applications, and 
I'm not sure that it adds new cases to the list of cases that may break 
we already are aware of.


Change of domain use case
-----
Eduardo raised an important use case I don't think we've considered before:
  http://lists.w3.org/Archives/Public/public-bpwg-ct/2008Nov/0030.html

When the page that contains the HTTPS link is hosted by some other 
server, then there is no way to the targeted server to prevent the 
re-writing of the HTTPS links.

Two solutions:
1. Forbid rewriting of HTTPS links that target another hostname. Since 
SSL certificates are per hostname (is that right?), I think that's a 
consistent guideline. The main visible consequence of such a guideline 
would be that a search engine that proposes HTTPS links in a search 
result cannot offer transcoded views of such links. The guidelines could 
say:
  "Proxies MUST NOT rewrite HTTPS links when the hostname targeted by 
the link does not match the one of the resource being retrieved"

2. Emphasize that servers should detect the presence of a Via HTTP 
header in an HTTPS request, and reply with a 406 if they don't want 
their response to be visible by a CT-proxy. The problem is that I don't 
see how a CT-proxy could "recover" in an automated way in such a case.

It depends on what we're trying to say here: if it's "the user must have 
the choice" then 1. goes too far in that it prevents users from making 
the choice. If it's "content providers must have their say too" then 1. 
is a good solution.

I would personally prefer 1.
Any other thoughts and/or solutions?


The text in section 4.2.8.2
-----
Pending the potential addition of the above mentioned guideline, I think 
the thrust of the section is good.

We may want to add a list of cases where rewriting HTTPS links will just 
break: if the server uses client certificates, the fact that the server 
may refuse the request if it comes from another address, and the rest of 
the cases I can think of are triggered by the change of origin which may 
not be specific to HTTPS. It could take the form of an additional note. 
I'm not so sure this is useful (same as for encoding, in the end, the 
message would probably read "avoid bugs").

Another minor point. I think we've already discussed that but can't 
recall when. About "If a proxy re-writes HTTPS links, replacement links 
must have the scheme https", it is slightly too restrictive in that the 
replacement link is likely to be for a page that advertises the user 
about the security implications of doing that, and that page doesn't 
need to be in HTTPS, only the final links need to be. Anyway, I like the 
concision and clarity of this guideline, just thought it was worth 
nothing somewhere.


The text for content providers
-----
I see only two things we may say:
- "Send a Cache-Control: no-transform if you do not want HTTPS links to 
be rewritten"
- "Detect the presence of the Via HTTP header in HTTPS requests and 
return with a 406 if you do not want to send sensitive data to the proxy".


Francois.
Received on Friday, 14 November 2008 17:38:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 14 November 2008 17:38:12 GMT