#144: Attacks from Same Host (OppSec) from Mark Nottingham on 2016-03-02 (ietf-http-wg@w3.org from January to March 2016)

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 2 Mar 2016 16:27:45 +1100
To: HTTP WG <ietf-http-wg@w3.org>
Message-Id: <2D0BB544-917B-4903-9C12-E33FD877619F@mnot.net>

<https://github.com/httpwg/http-extensions/issues/144>

Currently, the spec says:

"""
3. Server Authentication
[I-D.ietf-httpbis-alt-svc] requires that an alternative service only be used when it is strongly authenticated as the origin.

For the purposes of this specification, there are two ways to achieve this:

• Using TLS with a certificate that validates as per [RFC2818], or
• Using an alternative service with a hostname that is character-for-character identical to that of the origin.
The latter approach allows deployment without the use of valid certificates, to encourage deployment of opportunistic security. Therefore, in these cases the alternative service can provide any certificate, or even select TLS cipher suites that do not include authentication.
"""

I think what we're talking about here is changing it to something like:

"""
3. Server Authentication
[I-D.ietf-httpbis-alt-svc] Section 2.1requires that an alternative service only be used when there are "reasonable assurances" that it is under control of and valid for the whole origin

For the purposes of this specification, there are two ways to achieve this:

• Using TLS with a certificate that validates as per [RFC2818], or
• Confirming that both the origin and the alternative service support this specification by obtaining a 200 (OK) response for the "http-tls" well-known URI (section X).

The latter approach allows deployment without the use of valid certificates, to encourage deployment of opportunistic security. Therefore, in these cases the alternative service can provide any certificate, or even select TLS cipher suites that do not include authentication.

X. The "http-tls" well-known URI

[contents? format? extensibility? etc.]

"""

Questions:

1) Is this roughly what people had in mind?
2) Do we need to get a positive indication from both the origin and the alternative, or just the origin?
3) Do we need a more solid indication than a 200 OK? E.g., media type?
4) What should be in the well-known URI's representation, if anything?
5) Should we tie the validity period of the well-known URI to its cache freshness lifetime?

Cheers,

--
Mark Nottingham https://www.mnot.net/

Received on Wednesday, 2 March 2016 05:28:16 UTC