RE: draft-nottingham-httpbis-origin-frame from Mike Bishop on 2016-03-14 (ietf-http-wg@w3.org from January to March 2016)

From: Mike Bishop <Michael.Bishop@microsoft.com>
Date: Mon, 14 Mar 2016 23:15:44 +0000
To: Martin Thomson <martin.thomson@gmail.com>, Patrick McManus <pmcmanus@mozilla.com>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <BL2PR03MB190534500BB0D7701F5D7AA487880@BL2PR03MB1905.namprd03.prod.outlook.com>

I'm hesitant to drop DNS altogether. It's not quite part of the security model, but it kind of is. By requiring DNS to match, an attacker has to subvert either DNS or IP routing. My draft was targeting the case where the server has the same IP address, but multiple certificates. (Of course, if you're trying to support non-SNI clients….) I still prefer Alt-Svc to provide a link from the original origin to the endpoint claiming to have the certs.

-----Original Message-----
From: Martin Thomson [mailto:martin.thomson@gmail.com] 
Sent: Monday, March 14, 2016 4:00 PM
To: Patrick McManus <pmcmanus@mozilla.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: draft-nottingham-httpbis-origin-frame

On 15 March 2016 at 04:40, Patrick McManus <pmcmanus@mozilla.com> wrote:
> The DNS restriction of 7540 is really about sane routing of requests 
> to the right server by getting an opt-in that indicates configuration. 
> Its not really about security - DNS is not really part of the security model.

I 99% agree.  The other 1% is reserved for a minor concern about the way the security model interacts with the rest of the system.

When a URL becomes known to a client, it then seeks out a server that can serve that authority.  RFC 7540 didn't fundamentally change that by allowing coalescing: the same process was followed, we just allowed certain steps to be merged with work already done.

However, this would skip the DNS step entirely.  That's not bad, because we don't rely on it for any sort of security property.
However... it does allow for some interesting capture scenarios.

For example, if I were able to steal a certificate for a few interesting names, I would only have to capture a connection toward a single one of those names in order to effectively intercept all requests to those names.  With Alt-Svc, I would be able to continue that capture as long as the theft remained viable.  With Mike's additional certs, it's possible to use different stolen certificates.

It's a small concern, because I think that the risk is small in comparison to the potential gain, but I don't think that this is something that we can reasonably ignore.

Received on Monday, 14 March 2016 23:16:14 UTC