Re: Yet another trusted proxy suggestion

On 28/11/13 11:37 AM, Stephen Farrell wrote:
> Hi Yoav,
> On 11/28/2013 07:51 AM, Yoav Nir wrote:
>> I'd love to hear more comments on this. If there's interest I could
>> write it up in a draft, but having been burned twice, I'd like to know
>> there's interest first.
> I think your caution is wise.
> Let me ask one of the possibly many hard questions: say I'm a bank,
> wouldn't the result of your proposal be that I'd not be able to
> turn on HTTP/2.0 because e.g. one of my regulators somewhere would
> forbid me agreeing to exposing my customer's credentials to one
> or more such proxies?
First, nothing in my proposal (except maybe the pushed resource, which 
could be easily replaced with a pulled resource) is unique to HTTP/2. 
This is equally applicable to HTTP/1.

Second, there are now MitM proxies that expose customers' credentials. 
To defend against them, the bank has several options:

  * Deploy HPKP with the "strict" directive. Can't say that's widely
    deployed, although I'm told it is implemented in Chrome. You have
    multiple ways of bricking your site if you're not careful with this,
    so it's WebSec's version of five finger fillet.  But banks can
    afford to do it correctly.
  * Deploy client certificates for users. This defeats all TLS proxies,
    unless you come up with a proxy that somehow gets the user's private
    key. It doesn't get any more "trusted" than that. Very few banks do

If they have a policy like you suggested, and they don't use the above 
measures, they're not enforcing their policy now.

With this proposal they can enforce their policy, allowing users to 
connect without a proxy, and not allowing them to connect with it. Seems 
like a positive to me.

> I'd love if we had a real bank asking that question btw, since
> I'm just guessing, and am not and never have been a bank:-) But
> we don't seem to have anyone like that on the list asking.

I don't think it counts, but I did interview at a bank before going to 
work at Check Point, although that was for a systems administration job, 
not a security job.

Banks are into cost cutting, and the way to get costs lower is to avoid 
people coming into the bank branch and occupying some of the teller's 
time. To that end, they will allow you to connect with a browser, a 
phone, a kiosk, pretty much anywhere.  They'll weigh the cost of fraud 
from HTTPS proxies against the cost of losing customers to a more 
lenient bank to choose their policy. That of course depends on country 
and regulations, because different jurisdictions have different 
proportions of the cost of fraud falling to the bank and to the customer.

Banks might have policies like refusing to perform high-value 
transactions through a proxy. This doesn't protect regular credentials, 
but it could protect one-time passwords and such.

But again, I don't work for a bank either and never have. I still think 
allowing them to enforce a policy is better than what we have today. 
Having this option on the table may allow (in the far future) browsers 
to stop scaling back security in the presence of MitM proxies.


Received on Thursday, 28 November 2013 11:15:55 UTC