Re: Working Group Last Call for Using Early Data in HTTP from Eric Rescorla on 2018-02-13 (ietf-http-wg@w3.org from January to March 2018)

From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 12 Feb 2018 16:40:58 -0800
To: Jeffrey Yasskin <jyasskin@google.com>
Cc: Patrick McManus <mcmanus@ducksong.com>, HTTP Working Group <ietf-http-wg@w3.org>, Mark Nottingham <mnot@mnot.net>, Martin Thomson <martin.thomson@gmail.com>, willy@haproxy.org
Message-ID: <CABcZeBNUgDGniCM1r05GUEG7VGXUnbN9nk_QMLQ=hbkZtiamEA@mail.gmail.com>

On Mon, Feb 12, 2018 at 4:24 PM, Jeffrey Yasskin <jyasskin@google.com>
wrote:

> I apologize for sending this so long after the WGLC deadline, but I
> noticed that draft-ietf-httpbis-replay-02, "Using Early Data in HTTP",
> doesn't mention the risks of sending non-PFS early data.
>
> Even in requests that pose no replay risks, the client might include
> confidential data like cookies, or the fact of requesting a particular path
> might be private. If an expired key is discovered by an attacker, my
> understanding is that they could decrypt this information if it's sent in
> early data. Is that right?
>
> If so, do clients need to restrict their early-data requests to ones not
> containing confidential information? (I think, for browsers, that would be
> requests with an "omit" credentials mode: https://fetch.spec.whatwg.org/
> #concept-request-credentials-mode.) Should private-browsing modes avoid
> early-data entirely? Should all browsing modes restrict it to cases where
> they have evidence that the request data isn't private?
>

The FS properties of TLS 1.3 Early Data are basically the same as those of
TLS 1.2 resumption, and to the best of my knowledge, no client avoids
sending credentials when in resumption mode, so I don't think that this is
an appropriate way to handle it.

-Ekr


> Thanks,
> Jeffrey
>
>
> On Thu, Nov 23, 2017 at 6:54 PM Patrick McManus <mcmanus@ducksong.com>
> wrote:
>
>> Hi All - When we met in Singapore we discussed a couple final details of
>> the Early Data / Replay draft and indicated we would start WGLC after a
>> final(?) update. The authors have made that update and we're ready for the
>> LC now.
>>
>> Please have a look at:
>> https://tools.ietf.org/html/draft-ietf-httpbis-replay-02
>>
>> Raise any issues either on the mailing list or in the issues list.
>> Statements of support, implementation, or intent to implement to the list
>> would also be helpful.
>>
>> We'll run this for a touch over two weeks, ending the WGLC on December
>> 10, 2017. We look forward to your comments :)
>>
>> -Patrick
>>
>>

Received on Tuesday, 13 February 2018 00:42:07 UTC