- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Mon, 30 Mar 2015 10:10:20 -0700
- To: Jann Horn <jann@thejh.net>
- Cc: ietf-http-wg@w3.org
On Mar 29, 2015, at 2:12 PM, Jann Horn wrote: > Hello, > I've looked through draft-ietf-httpbis-alt-svc-04 and didn't see anything that > explicitly forbids the use of TLS client certificates. The threat scenario I > have in mind is this: > > Alice is connected to the internet through a connection on which Mallory > performs a MITM attack. Alice has a TLS client certificate that grants her > access to sensitive information at https://bank.com/. There are no HSTS rules > for bank.com. > > Alice browses to http://news.com, a website to which she does not need a TLS > connection. Mallory injects the following HTML snippet into the response: > > <iframe src="http://bank.com"></iframe> > > Alice's browser now requests http://bank.com. Mallory intercepts the request > and replies with a page containing malicious JavaScript code and the HTTP > header 'Alt-Svc: h2=":443"'. > The malicious JavaScript code now triggers further requests that the browser > performs to bank.com via TLS, authenticating Alice using the > non-origin-specific TLS client certificate. The server at https://bank.com > grants access to the client based on the TLS Client Certificate and > returns sensitive data, but the origin on the client is still http://bank.com, > effectively allowing the attacker to bypass the protocol part of SOP > restrictions on XHR. Why is the origin on the client still http://bank.com/ when it is deliberately making requests to https://bank.com:443/ ? The client isn't being fooled into making those requests -- it is choosing to make use of the Alt-Svc information to go to a different origin. In short, the JavaScript code should be prevented at that point because the browser needs to get new code from the same origin, just like a redirect. ....Roy
Received on Monday, 30 March 2015 17:10:29 UTC