Re: Exposing TLS & Certificate Information in Javascript

On Wed, May 29, 2013 at 1:01 PM, Richard Barnes <rbarnes@bbn.com> wrote:
>
> On May 29, 2013, at 2:34 PM, Ryan Sleevi <sleevi@google.com> wrote:
>
>> Richard,
>>
>> As I explained previously, there is not inherently a concept of a
>> single TLS session for the associated load of the 'main page' (from
>> whence origin is derived).
>
> Ok, in principle, it is possible for renegotiation to happen in the middle of an HTTP transaction.  In practice, this is exceedingly rare.

You're going to have to back this statement up with any actual
evidence, or is this just speculation?

I know for fact that two of the widest deployed SSL/TLS stacks (when
used on conjunction with several of the top web servers) will do
exactly that, and I've been on both ends in seeing how much breaks
when either clients or servers get this wrong. Several of the largest
enterprises and governments have internal infrastructures that rely on
this working as I described - so I'm not just speculating.

> Is there some other instance you have in mind where an HTTP request spans multiple TLS sessions?  Even if it's loaded over a resumed TLS session, or even a SPDY session, there's still a single session used to download the page.
>

Please see the small *sample* that I included in this thread in
response to Seetharama.

>
>> Further, while tempting to reduce it to such primitives, it's quickly
>> evident that this fails to provide or address any value added security
>> benefits, when it fails to express the code executing in the overall
>> environment.
>
> I'm not arguing value (though I'm not convinced there's no value), just that it's possible.
>
>
>> While the Same Origin Policy is wholly sufficient for notions such as
>> Origins, and can be extended through the use of CORS, the application
>> of dynamic content over a plurality of TLS connections, each of which
>> may have multiple negotiations established with them, make notions
>> such as "THE" certificate or "THE" keying material fundamentally
>> flawed.
>
> Same Origin Policy / CORS aren't relevant here.  They're what you do with an origin once you've got one.  Obviously, you'll do something different with TLS info.  I only bring up origins to demonstrate that you can make a clear definition of something that varies among components of a page.

I think you're conflating boundaries here. The distinction here is a
desire for transport layer semantics, whereas origin ties back to the
original request (eg: independent of server data). There's no
equivalence between what's being asked and origin.

>
> --Richard
>
>
>
>
>
>>
>> Cheers,
>> Ryan
>>
>> On Wed, May 29, 2013 at 11:32 AM, Richard Barnes <rbarnes@bbn.com> wrote:
>>> Ryan,
>>>
>>> I'm a little confused here.  Origins are also fundamental for web security and used programmatically.  There's a well defined origin based on the base document URI, even though a given page load can come from multiple origins.  If I import a script from another origin, it still executes within the overall origin for the page.
>>>
>>> Could we not do something analogous here?  Just as the origin for the page is derived from the URI for the base page, couldn't we just define that the TLS information provisioned is for the connection that loaded the base page?  After all, that information is the root of trust for the page, since all the other resources are loaded based on information retrieved over that connection.
>>>
>>> --Richard
>>>
>>>
>>>
>>>
>>>
>>> On May 29, 2013, at 12:28 PM, Ryan Sleevi <sleevi@google.com> wrote:
>>>
>>>> On Tue, May 28, 2013 at 10:17 PM, Douglas Stebila <stebila@qut.edu.au> wrote:
>>>>> We have been doing some research on building application-level cryptography on TLS connections.  In one of our recent projects, we wanted to cryptographically bind from the application layer to the TLS connection.  There are several ways of theoretically doing so, but the seemingly simplest would be to get (the hash of) the server's X.509 certificate from the TLS connection (this is one of the mechanisms specified in RFC 5929, TLS channel binding).  In our application, only the Firefox extension API allowed us to access that information (via XPCOM).  It would be nice to have a standardized way of doing this, and it seems like this may fall under the category of secondary features in the Web Cryptography API charter.
>>>>>
>>>>> Ryan Sleevi kindly pointed out a discussion thread on this mailing list from February 2013 that discusses things related to this issue, where an API exposing a variety of information on the TLS connection was proposed.  The subsequent discussion in the thread pointed out the subtleties of what is "the" TLS connection (http://lists.w3.org/Archives/Public/public-webcrypto-comments/2013Feb/0006.html; portions reproduced below).  I apologize for being late to the discussion and reopening a dormant conversation, but it did not seem to come to a resolution, beyond that there are subtleties.
>>>>>
>>>>> While it is true that there are subtleties, getting at least some information about the TLS connection would be a very useful thing to have available, and it may be possible to identify a canonical set of TLS parameters.  In fact, browsers effectively do so: when you click on the lock icon, you get a single certificate and a single explanation for the properties of the TLS connection.  I'm not sure which canonicalization browsers use, but two potentially reasonable choices include "the first certificate used on the main document", or "the most recent certificate used on the main document".  Yes, a single snapshot doesn't capture the whole history of the security context, but it does capture the security parameters at that canonical point in time, and that's enough to enable some interesting applications.
>>>>>
>>>>> In summary: can we have an API that gives the same information about the TLS connection as what would be obtained by clicking on the lock icon in the web browser?
>>>>
>>>> Short answer: No
>>>>
>>>> And for the reasons I detailed on that thread.
>>>>
>>>> That lock is actually quite misleading for expressing overall security
>>>> policy, but it is enough of a hueristic to be acceptable for the
>>>> security goals it tries for end users. A programmatic API cannot be
>>>> heuristic-based like that, particularly to meet your use cases.
>>>>
>>>> Cheers,
>>>> Ryan
>>>>
>>>>>
>>>>> Douglas
>>>>>
>>>>>
>>>>>>>>> window.location.tls = {
>>>>>>>>>    version = 'SSL 3.0' || 'TLS 1.0' || 'TLS 1.1' || 'TLS 1.2' || '',
>>>>>>>>>
>>>>>>>>>    //I'm really bad at naming things
>>>>>>>>>    flavor = 'PKIX' || 'SRP' || 'PSK' || 'OpenPGP',
>>>>>>>>>
>>>>>>>>>    ciphersuite = { //From https://www.iana.org/assignments/tls-parameters/tls-parameters.xml
>>>>>>>>>        value = UInt8Array, //From the Value column
>>>>>>>>>        description = string //From Description Column
>>>>>>>>>        //Potentially fill out sub values like "Cipher", "Key Exchange"...
>>>>>>>>>    },
>>>>>>>>>
>>>>>>>>>    //.certificates is an array of Certificate Objects, or an
>>>>>>>>>    //  empty array if no certificate is used (HTTP, TLS-PSK, DH-Anon, etc)
>>>>>>>>>    //  [0] is the root, and it goes in ascending order to the leaf,
>>>>>>>>>    //  based on the path constructed by the browser
>>>>>>>>>    certificates = [
>>>>>>>>>        CERTIFICATEOBJECT,
>>>>>>>>>        ...
>>>>>>>>>        ]
>>>>>>>>>    },
>>>>>>>>>
>>>>>>>>>
>>>>>>>> The failure of this entire proposal is that it disregards the multi-connection, multi-origin model involved in any origin load.
>>>>>>
>>>>>>>
>>>>>>
>>>>>>> Yes, except for the main page.
>>>>>>
>>>>>>
>>>>>> No. Even the main page may have had multiple TLS identities involved.
>>>>>>
>>>>>> 1) It may have originally requested example.com, but may have been redirected (302 to 307) to subdomain.example.com. However, the identity of both is relevant in terms of origin security, since the initial example.com may have been hijacked by an attacker to leverage items such as session pinning or cookie hijacking.
>>>>>> 2) If the server is not TLS renegotiation patched (as a disproportionate number of servers unfortunately remain unlatched), then a hostile MITM may interject themselves before initiating a renegotiation. For example, your site  https://www.ianonym.com is vulnerable to this well-known attack (only noticeable after ignoring the certificate mismatch).
>>>>>> 3) Even absent hostile intent, a server may be configured to renegotiate the security parameters of the server in such a way that fundamentally alters the connection. This is quite common.
>>>>>> 4) In the face of invalid certificates or requests for client certificates, which require user interaction, many user agents will break the TCP connection after a certain amount of time has elapsed, since the active connection is contingent upon user interaction. Thus a logical load may have employed multiple connections.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

Received on Wednesday, 29 May 2013 20:07:53 UTC