- From: Eric Rescorla <ekr@rtfm.com>
- Date: Thu, 14 May 2020 12:12:04 -0700
- To: Michiel Leenaars <michiel.ml@nlnet.nl>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CABcZeBOsxt4UwVB_DBWAZmeM==6saFSKn=KZW9pKjKbiFZzuzg@mail.gmail.com>
On Thu, May 14, 2020 at 10:04 AM Michiel Leenaars <michiel.ml@nlnet.nl> wrote: > > I'm not sure how to formalize this as a security property. > > Certainly from the perspective of the origin > > model and the browser the CDN *is* the origin. And for that > > reason, as a practical matter it is in > > part responsible for anything that the browser generates, > > including authenticated traffic. (For instance, > > it can cause the browser to make authenticated HTTPS requests > > just as the origin server can). > > Can you elaborate on what you mean here? > > What I mean is that here SASL in my opinion is meant to facilitate > unforgeable authentication and confidentiality between the end points at > hand. If the edge point is an 'edge compute' node run by a company that > also delivers CDN services, that would I believe work fine with the > proposed technology - and there is no problem. > > My considerations revolve around a CDN in the classical sense of the word, > which as a passive relay has no right to look into an authentication > protocol exchange between end points. Essentially, I do not think end > users > should want to expose a confidential session to an intermediate cache > layer > intended for static assets only. There is no value add in terms of > security > or functionality. > I think you're drawing a distinction which is not present in the technology. Consider a Web application which has an origin server at www.example.com and also hosts static assets including JS hosted ad example.cdn.example.net. Even if the SASL exchange only goes between the browser and www.example.com, because the JS gets loaded into www.example.com's origin, the CDN has the ability to initiate its own requests to www.example.com's origin. > > Consider, for instance, a photo > > sharing site; I don't want random people to know which photos I view. > > If random people includes the employees of CDN's (which could be anyone), > Well, this could just as well apply to the employees of the origin site or of the hosting provider the origin site resides on. I appreciate that it's not very satisfying but the state of the Web ecosystem now is that many sites just rely on a pile of different third parties that have potential access to your data and you have to trust those as well. CDNs are just one such entity. -Ekr
Received on Thursday, 14 May 2020 19:12:54 UTC