W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: Comments about draft-ietf-httpbis-http2-16 : Connection reuse

From: Aeris <aeris@imirhil.fr>
Date: Sun, 04 Jan 2015 20:29:08 +0100
To: Ryan Hamilton <rch@google.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Patrick McManus <pmcmanus@mozilla.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <1530490.b123QLFlJj@home>
> To back up for a second, remember that a server administrator can prevent
> connection reuse at will by either:
> 
> 1) Changing the hostname -> IP mapping so that hosts which should not share
> connections are on different address

Not usable on IPv4. There is no more available IPv4, or very expensive.
Currently can’t have 50 IPv4, one for each of my sub-domain…

> 2) Serving certificates which are not valid for hosts which should not
> reuse connections to the current host

Not available for all CA.
For example StartCom add *always* DNS:domain.com on issued CA, so I can’t 
generate a certificate only valid for A.domain.com and not for domain.com on 
this CA.
Or in my case, have 2 wildcard cert issued by different CA for each domain.

> As such, any server administrator who is concerned about connection reuse
> can simply configure their servers to prevent it from happening.

Not at all. I’m a server administrator. I can’t be able (or can’t afford) for 1 
different certificat for each of my 50 sub-domains…
Do you consider only big company with many money and professional admin sys 
exist on the Internet ? Or worst, only them can have security or choose the 
TLS behaviour they want with HTTP/2 ?

> ​If you can exploit Chrome's connection reuse behavior to lead to a MITM
> attack, that would be a critical security bug which we would jump on
> immediately. Please let me know if you are able to do so.

I don’t say this. I only say HTTP/2 behaviour *can’t be distinguished* from 
real MITM or downgrade attack.
From an IDS point of view for example, you fetch a content with a certificat or 
cipher different of what is expected, exactly the same way current real HTTP/1 
attacks do.

But on our way, I sense connection reuse can ease MITM or downgrade attack. 
You « just » have to poison the DNS to match the target IP and send a A 
content with weak TLS parameters and request targeted content B from A to 
force TLS parameters to what you want for the B content fetching.

> ​In Chrome, we prevent connection reuse to hosts which request client
> certificates. HTTP/2 prohibits TLS renegotiation in section 9.2.1.

When I say « renegociation », I mean no channel reusage.
If A domain doesn’t require TLS auth but B domain yes, how will you detect the 
need of auth with channel reuse ? Because when the channel will be reused to 
fetch B content, no TLS negociation will be done and so not able to see the 
auth request, am I wrong ? From B to A, there is no problem, but from A to B, 
there is.

Regards,
-- 
Aeris

Protégez votre vie privée, chiffrez vos communications
GPG : EFB74277 ECE4E222
OTR : 5769616D 2D3DAC72
https://café-vie-privée.fr/
Received on Sunday, 4 January 2015 19:29:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:42 UTC