Re: Skipping DNS resolutions with ORIGIN frame

On Tue, Jul 18, 2017 at 2:23 PM, Mike Bishop <Michael.Bishop@microsoft.com>
wrote:

> Unless the cdnjs.cloudflare.com is in the same cert, you’d also need the
> Secondary Certificates extension to support that.  Once it’s there, though,
> I think the discussion is the same whether we have multiple certificates or
> one – we have a single factor (the certificate) that claims authority for
> some other name.  How do we reach a sufficient level of trust?  DNS is a
> weak second factor; are there other second factors we would be willing to
> consider as equivalent?
>

We can put it in the same cert for a lot of our customers and Secondary
Certificates is also on the roadmap for this.

It depends on what we want to guard against. If it is just mississuance,
presence of the certificate in CT logs is fine. If we're concerned about an
attacker with the private key of the certificate, then presence of the
certificate in the CT logs isn't enough and DNS provides an extra fig-leaf.

A lot of the proposals being discussed aren't detailed enough for me to say
if they would work or not for us. Would it be enough to have every site
Alt-Svc cloudflare.com (easy), or would the Alt-Svc proposals end up N^2
scaling (nonstarter)? Our IPs aren't shared between sites in any sort of
regular pattern and which one is used by customer.example.com can change
for various reasons.

We can't have cdnjs.cloudflare.com advertise every single customer as an
Alt-Svc.

Sincerely,
Watson


>
> *From:* Watson Ladd [mailto:watson@cloudflare.com]
> *Sent:* Tuesday, July 18, 2017 11:44 AM
> *To:* Ryan Hamilton <rch@google.com>
> *Cc:* Martin Thomson <martin.thomson@gmail.com>; ietf-http-wg@w3.org;
> Piotr Sikora <piotrsikora@google.com>
> *Subject:* Re: Skipping DNS resolutions with ORIGIN frame
>
>
>
>
>
>
>
> On Tue, Jul 18, 2017 at 11:30 AM, Ryan Hamilton <rch@google.com> wrote:
>
> My apologies for starting this thread on Friday and then going on
> vacation! I'm catching up now.
>
>
>
> On Fri, Jul 14, 2017 at 10:32 AM, Martin Thomson <martin.thomson@gmail.com>
> wrote:
>
> I get that you believe that DNS resolution is valuable here, but I
> don't understand your point about "proxy configuration".  If you have
> a proxy configured, you generally don't do the DNS lookup directly, so
> are you saying that you would allow the coalescing for a CONNECT
> tunnel?
>
>
>
> Yes, I think so.
>
>
>
> Can you verify that I understand your point about Alt-Svc: if the
> origin had been previously contacted and Alt-Svc identified an IP
> address that matches the current IP, then that could be a sufficient
> signal.  Usually Alt-Svc is a name though, so that wouldn't help.
>
>
>
> ​Sorry, I wasn't very clear. What I means is that if I connection to
> www.example.org
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.example.org&data=02%7C01%7CMichael.Bishop%40microsoft.com%7C0a535a7fb83f4a3187c008d4ce0d6576%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636360004315030763&sdata=A11yjgd7M%2BFAWckA%2B4yXLreK7egSTp0o7fHOxTmro1Y%3D&reserved=0>
> which presents an *.example.org
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.org&data=02%7C01%7CMichael.Bishop%40microsoft.com%7C0a535a7fb83f4a3187c008d4ce0d6576%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636360004315030763&sdata=z7e0gWv6d9qNO3LlzWYdAdJF%2Fdz1fl6ePrL4wXc%2Fo5w%3D&reserved=0>
> certificate, I need some second piece of information before using it for
> mail.example.com
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.example.com&data=02%7C01%7CMichael.Bishop%40microsoft.com%7C0a535a7fb83f4a3187c008d4ce0d6576%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636360004315030763&sdata=m0%2FQIhc5PZ7qOzojoiCQcvrpWLL4fEbXrzCjH27AmeA%3D&reserved=0>.
> In the alt-svc case, if an earlier connection to mail.example.org
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.example.org&data=02%7C01%7CMichael.Bishop%40microsoft.com%7C0a535a7fb83f4a3187c008d4ce0d6576%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636360004315030763&sdata=dzpNY0d8AF2kRFXdgSMNqZebFcyj8CTepsxlWxwNKFg%3D&reserved=0>
> advertised alt-svc for www.example.org
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.example.org&data=02%7C01%7CMichael.Bishop%40microsoft.com%7C0a535a7fb83f4a3187c008d4ce0d6576%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636360004315030763&sdata=A11yjgd7M%2BFAWckA%2B4yXLreK7egSTp0o7fHOxTmro1Y%3D&reserved=0>,
> then I would be comfortable coalescing the connection​ and would not need
> to do any resolution of mail.example.org
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmail.example.org&data=02%7C01%7CMichael.Bishop%40microsoft.com%7C0a535a7fb83f4a3187c008d4ce0d6576%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636360004315030763&sdata=dzpNY0d8AF2kRFXdgSMNqZebFcyj8CTepsxlWxwNKFg%3D&reserved=0>
> .
>
>
>
> This doesn't work for our major usecase, which is using an existing
> connection to one of our customers to send the content of
> cdnjs.cloudflare.com
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcdnjs.cloudflare.com&data=02%7C01%7CMichael.Bishop%40microsoft.com%7C0a535a7fb83f4a3187c008d4ce0d6576%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636360004315030763&sdata=9yE4PkHTxyyqml%2BhutprXtHJO9nbwEtfi9ptaijYZb0%3D&reserved=0>.
> If logging a certificate in CT is enough to enable ORIGIN that is fine.
>
>
>
> Similarly, are you saying that CT could assert something that would
> cause you to skip the DNS lookup for a name?
>
>
>
> ​This was more of a straw-man than a concrete proposal, but yes. Folk in
> Chrome security thought that this was plausible, though probably required
> more thought.​
>
>
>
> Or is this list just to make a more general point about raising the
> bar for gaining the ability to use a name, and not something that is
> specific to this particular example of DNS lookups?
>
>
>
> Specific to the issue of skipping DNS lookups when deciding to trust a
> certificate.​
>
>
>
>
>