Re: #144: Attacks from Same Host (OppSec) from Kari Hurtta on 2016-03-02 (ietf-http-wg@w3.org from January to March 2016)

From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Date: Wed, 02 Mar 2016 19:12:18 +0000
To: HTTP WG <ietf-http-wg@w3.org>
Cc: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, Mark Nottingham <mnot@mnot.net>
Message-Id: <201603021911.u22JBfpe021129@shell.siilo.fmi.fi>

( commenting myself ... )

Kari Hurtta <hurtta-ietf@elmme-mailer.org>: (Wed Mar  2 19:02:46 2016)
> | For the purposes of this specification, there are two ways to achieve
> | this:
> | 
> | • Using TLS with a certificate that validates as per [RFC2818], or
> | • Confirming that both the origin and the alternative service support
> | this specification by obtaining a 200 (OK) response for the "http-tls"
> | well-known URI (section X).
> | 
> | The latter approach allows deployment without the use of valid
> | certificates, to encourage deployment of opportunistic security.
> | Therefore, in these cases the alternative service can provide any
> | certificate, or even select TLS cipher suites that do not include
> | authentication.
> 
> 1) This seems not specify that alternative is same host than
>   origin in case when valid certificate is not required
> 
> There fore "http-tls" well-known URI on _alternative_
> must include origin -name (method, host, port)

'method' should be "http" because "https" already
requires valid certificate.

But maybe browser may want check well-known URI
for https -method on some cases. That is not
required, but browser may do extra checks.

( And anyway defination of origin includes
 method. )

Certificate does not tell method and port,
only name (and it may be *.example.com).


Perhaps other checks are like "certificate
for alternative must be equal strong as 
for original".

( Domain Validated, Organization Validated,
 Extended Validated

 is wildcard used on certificate name?

 what is signing algorithm?

 have certificate same validation
 chain?

 and then negatiated TLS parameters
)

> 2) If origin does not filter Alt-Svc: -headers, 
>   http://origin/~attacker/  skript can still
>   produce 
>      Alt-Svc: h2=":8000"
> 
>  and if origin runs it own real alternative on port 81
>  then it will have "http-tls" well-known URI
> 
> There fore "http-tls" well-known URI on _origin_
> must include alternative (host and port).
> 
> 
> Because it is alternative 
> "http-tls" well-known URI on _origin_ and _alternative_
> must be same.
> 
> Therefore "http-tls" well-known URI must include
> origin -name and alternative (host and port).

/ Kari Hurtta

Received on Wednesday, 2 March 2016 21:36:47 UTC