- From: Willy Tarreau <w@1wt.eu>
- Date: Thu, 27 Jul 2017 23:01:20 +0200
- To: Benjamin Kaduk <bkaduk@akamai.com>
- Cc: Martin Thomson <martin.thomson@gmail.com>, Kazuho Oku <kazuhooku@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Thu, Jul 27, 2017 at 03:16:28PM -0500, Benjamin Kaduk wrote: > On 07/27/2017 02:50 PM, Willy Tarreau wrote: > > On Thu, Jul 27, 2017 at 01:45:34PM -0500, Benjamin Kaduk wrote: > >>>> I just want to point out that 4NN was not a *guarantee* that the request > >>>> will not be replayed > >>> Yes it is. The only way to get this 4NN is for the connection to have > >>> been maintained between the client and the server for the whole duration. > >>> An attacker duplicating the traffic cannot use it against a new connection > >>> because the ClientFinished depends on the handshake. > >> I think we may be using different vocabulary/definitions. > >> > >> Alice makes a TCP connection to Bob, starts up a TLS 1.3 handshake and > >> sends some early data with it containing an HTTP request. Eve has a tap > >> in the network and records the bits going Alice-->Bob. Bob sends a TLS > >> 1.3 ServerHello/EncryptedExtensions/Finished and a 4NN in its 0.5-RTT > >> data. Nothing stops Eve from taking a copy of those recorded bits and > >> sending them towards Bob's clone Robert that shares a cert+key. Are > >> there requirements on Robert's behavior when receiving those bits? I > >> claim that with the -00, Robert is permitted to give 200 and an actual > >> response, but with pull/25, Robert is obliged to also return a 4NN. > > I don't see how this would make any difference. In before pull/25, both > > Alice and Eve send the request as early data without ClientFinished. This > > *without ClientFinished* is the signal that the request is at risk. After > > pull/25, both Alice and Eve send the request as early data without > > ClientFinished and both with the EarlyData header field. This one becomes > > the signal. In both cases, it requires both Bob and Robert to have the > > same configuration, so nothing was saved by adding EarlyData. > > My claim is with regarding Bob/Robert's decision about whether a given > (early) request can safely be processed as early data (vs. needing to be > verified by waiting for ClientFinished or sending 4NN for 1-RTT retry) > -- that is, whether they must necessarily make the same decision for a > given request. You mention that they must have the same configuration, > but but what if the current system load also is used in making the > decision? It doesn't change the fact that the additional presence of the EarlyData header field added by the client makes no distinction here, it's just redundant with the connection using 0-RTT. > My reading of pull/24 is that "MUST consistently use the same > approach" also implies must make the same decision. If you think that > the -00 draft as-is implies that Robert and Bob must make the same > decision, I'd be happy to have that be the case. Having both of them rely on EarlyData demands that same for of consistency unfortunately so it doesn't add anything against this. I mean, don't get me wrong, I'm not saying at all that there are not corner cases that we have to try to improve, what I'm saying is that the proposal to have the client add Early-Data was proposed solely for the timeout case and provides zero benefit for the case where the early data are replayed without ClientFinished (thus without the client being aware), and that's precisely the limit of using 0-RTT, so if the whether *one* of the servers considers the request safe or not (configuration issue or anything) is out of our control. The principle is to let the server decide what action to take with requests received as Early Data. > > The point that Subodh made was that Bob would hijack Alice->Bob's connection > > and would delay the ClientFinished message so that the finalized request > > doesn't reach Bob. Alice, being fed up with waiting would *spontaneously* > > try again and succeed. Then Eve would unblock the packet and have Bob play > > the initial request again. The fault here is not a lack of identification > > that the first request was transported over early data, it's a fault from > > Alice who retried without being invited to do so nor knowing the consequences > > of doing so. And if this attack would work for a selection of Alices, then it > > would also work over TLS 1.2 as well because no transport information was used > > at all. > > My understanding was that Subodh's point involve delaying not just the > ClientFinished but also the early data preceding it, so that Bob did not > even know there was a request at all, let alone one that is not > finalized. Not exactly since the Early Data has to be sent before the ClientFinished, the point was to be able to present Bob with a request carrying a validated ClientFinished (ie: Bob was supposed to trust it). > When the early data + ClientFinished were allowed through > together, Bob would see the request, check that the handshake is > finished, and assume it was a 1-RTT request, even though Alice had > already timed out and retried. Yep. > I do not dispute that Alice could prevent the behavior by waiting to > receive a 4NN before retrying, though I also do not expect (e.g.) > browsers to universally adopt such behavior. But the point of the draft precisely is to explain how to safely map HTTP on top of early data and to explain the risks :-) If we start to say "let's not do it safely because some will surely bypass the rule anyway", it becomes a bit difficult to provide something really useful :-) That's why I'm really all for documenting the corner cases so that implementers know what *not* to do (ie: even if a browser retries on timeout, it must absolutely not do it with early data). And anyway as Subodh showed, a browser retrying on timeout would be at risk whatever the transport level in use. > I agree that a client receiving 4NN has a guarantee that its request was > not processed on this connection. Does it also have a guarantee that > (replays of) its request were not processed on any other connection > [even though those other connections would subsequently have the TLS > handshake fail]? Absolutely not, but it does have a guarantee that this request was not presented with a ClientFinished. So by virtue of the server having the final choice whether a request is safe to process as early data or not, the second will fail. The remaining cases where such a request is nevertheless processed are caused by different configurations, but adding headers on the client will not address misconfigured servers anyway (and would in fact make things worse by increasing the complexity, resulting in additional wrong combinations statically speaking). Willy
Received on Thursday, 27 July 2017 21:01:49 UTC