RE: issue of initiating client auth for parallel SSL sessionids from 'Ryan Sleevi' on 2011-02-27 (public-xg-webid@w3.org from February 2011)

From: 'Ryan Sleevi' <ryan-webid@sleevi.com>
Date: Sun, 27 Feb 2011 17:10:36 -0500
To: "'peter williams'" <home_pw@msn.com>, <public-xg-webid@w3.org>
Message-ID: <02f501cbd6cb$29c36ed0$7d4a4c70$@com>
By the MITM proxies, am I correct in assuming you refer to WebID-ISSUE-28
and the related discussion of transparent proxies

 

I may have missed it, but has there been any discussion about proxy
certificates? If market deployment concerns are put aside, and accepting
that transparent proxies already cause a world of hurt (look at the IETF
KeyAssure/DANE/CAA discussions), proxy certificates are/were one approach to
delegate credentials to an agent acting on a user's behalf, potentially with
restrictions, for use with PKI and, in this case, TLS. While sounding
special/complex, they're just X.509 certificates that are signed by the
private key of the end-user's certificate, but issued to a private key of
the proxies chosing. The proxy then does not need access to the user's
private key, and relying parties (PKIX term, equivalent to Validating Agents
in this context) can build a chain from the proxy to the user, and from the
user to the trust anchor (if needed).

 

However, that's defining a solution for a problem that is more fundamental.
SSL MITM's are evil in many ways, and the growing view of browser vendors
and protocol implementors is that they are "breaking" the protocol, and
rightly so. TLS client auth is a prime example of where the proxies do not
help, so I would agree that MITM proxies are going to be a concern for a TLS
client-auth based protocol. That said, if you want to further build on the
security assurances, beyond just client auth, then RFC 5929 is where to
start, as it defines how to extract connection-unique and endpoint-unique
bindings. As documented there, the connection-unique channel bindings
prohibit having a proxy/intermediary, so some form of zero-knowledge proof
built on those would explicitly prohibit MITM proxies.

 

Regarding the rest of your examples, I don't see anything that really is
particularly concerning to WebID, beyond that above. The only concern is if
a single "server" (host, port) needs to protect different URIs with
different credentials (that is, some with a WebID, some with a smart card),
yet also be able to relate those credential selections (that is, the
smartcard user is-also the webid user). That requires more care in
implementation, but is not something explicitly prohibited by the WebID
protocol as it stands, I don't believe.

 

Ryan

 

 

From: peter williams [mailto:home_pw@msn.com] 
Sent: Sunday, February 27, 2011 4:34 PM
To: 'Ryan Sleevi'; public-xg-webid@w3.org
Subject: RE: issue of initiating client auth for parallel SSL sessionids

 

Now, I've argued for a week or more that we have in webid protocol land
major issues with SSL MITM proxies, outgoing and browsers and reverse
proxying agents fronting other agents and ultimately resource servers. I'm
really not sure anyone agreed with me that the topic is even a legit issue.
(The counter-arguments I personally found rather specious from a security
perspective, but quite proper from a webby perspective that focuses on "just
get going; improve later".)

 

You seem to recognizing that even if we had perfect communication channels,
the nature of the document-centric web is that it's an inherently
threatening environment (with malicious code, all over). In some cases, the
threats can be controlled by compartmentation (e.g. the like of live.com
enforced reputation services that simple censored and prevented me the other
day downloading some [political] file that Microsoft IE9 deigned to be
"undesirable", that I had to use Opera to get!); or best practices on web
site design - a self-discipline used by site designers. Having https act as
a singular tunnel to only 1 site that fronts others (and one disallows https
mashups at the browser) is one example of a self-discipline.

 

Now, I argue that we should have an issue that looks at SSL MITM issues, and
that we might want to consider "channel binding
<http://yorkporc.wordpress.com/2010/03/20/digest-cnonce-nonce-count-and-the-
channel-binding-directive-value/> " countermeasures such leveraging
SSL+webauth-header (digest) cooperation, which allows one to at least detect
MITMing SSL proxies in modern https "networks".

 

I'll guess you would argue that we should also have an issue that
essentially mandates UI and site-design guidelines (much as does the openid
world!) that only certain website design practices are approved - so as to
wrap a security safety blanket around the "approved" world.

 

Now, I don't have much opinion on the latter as a protocol designer (it's
out of scope). As a system designer, it is in scope certainly. But, I'm new
to W3C land, and get the impression that system deployment constraints (even
well motivated ones) are not something W3C wants to be in the business of
endorsing. Rather, it wants a "few-constraints as possible" world (which
maximizes takeoff, recognizing that it may well be CREATING the likes of the
phishing problem thereby); and then expects the market to decide how to
profile the resulting wave so its sustainable. That profiling may well
impose considerable conservatism on "deployments", particularly as
corporations come on board as buyers, and apply intranet/extranet overlays
on the web that attempt to meet corporate integrity requirements.

 

I hope you recognize that, given my examples, what Im trying to do is

 

-          Introduce the notion that BY DEFAULT there is a world of "mixed
browsing" - meaning some links of a given graph (e.g. an HTML doc) are http,
some are https, and there may be multiple https endpoints involved in one
graph. This world is bad when handling HTML graphs (human users), and even
worse for data graphs (machine users).

 

-          In a multiple endpoint world, the browser may be faced with
competing demands for SSL client authn - since the https endpoints are - in
the general case - not coordinated. In one graph, multiple parties may
demand client certs and do cert pingbacks against foaf  cards. As designers,
one cannot assume correct and/or coordinated implementation by arbitary
sites, surely.

 

-          Wanting to perhaps allow both high assurance crypto (on
smartcards and eID cards) to co-exist with low-assurance crypto delivered by
the browser cryptomodule on a PC - recognizing that, generally, a browser is
merely a gateway to multiple crypto modules, selected by the SSL server's
choice of CA msg I a given handshake run. Perhaps, the ideal webid protocol
interaction with SSL might be is, as you seem to say, be one in which its a
"custom record-layer protocol," delivered on the record layer controlled by
an outer SSL tunnel (whose confidentiality SA might be orchestrated by the
eID card).

 

There are lots of topics would flow from those issues (would one want to
give the e-ID world a black check to decide if webid protocol can even
flow)? Should UI mashups of arbitrary https endpoints be banned? Could the
"mashups" of RDF graphs (vs HTML documents) with arbitrary and multiple
https site endpoints even be banned (without interfering with the whole
concept of the "link-anywhere" semweb)?

 

 

 

 

From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of Ryan Sleevi
Sent: Saturday, February 26, 2011 6:49 PM
To: 'peter williams'; public-xg-webid@w3.org
Subject: RE: issue of initiating client auth for parallel SSL sessionids

 

Hi Peter,

 

It may help me to understand what you're proposing if you could describe the
request flow using the HTTP semantics. I'm having a bit of trouble
understanding your proposal, and that's making it hard to evaluate the
security implications. Something like the simple sequence diagram at [1]
would help greatly.

 

My concern is that you're proposing that a user agent perform the WebID auth
sequence over HTTPS/SSL, but then continue the browsing session through
unsecured HTTP. This seems to defeat any guarantee of secure user
authentication, which is why I'm wanting to make sure I've understood
correctly.

 

Two example attacks that would make such a proposal untenable are the
injection of malicious scripts [2] or session hijacking [3]. The requests
received over HTTP cannot be assured of the WebID accessing them, since the
connection may be MITMed, and likewise, requests received over HTTPS may
have been initiated by malicious script running downloaded via HTTP.

 

Further, the idea of maintaining two independent SSL session IDs for a
single domain is not something most user agents presently support (Firefox
and Chrome come to mind). So while WebID by leveraging SSL client auth with
a single identity is something that most every modern browser supports, and
they will cache the (relatively expensive, computationally and network) TLS
client auth stage, maintaining parallel sessions to the same domain, with
distinct identities (smart card/eid and WebID) will most likely require
browser vendors to change their networking implementations in order to
support WebID. This is in addition to the WebID-specific provisions such as
..crt handling/specialized Accept headers that seem to be proposed here. I
would think that such requirements would prevent any widespread adoption of
WebID, because it will require browser vendors to adopt it in order to be
widely deployed, but browser vendors typically aren't likely to adopt
WebID-specific modifications unless/until it is widely deployed.

 

In order for WebID (or any really any Web-based authentication mechanism,
for that matter) to be used securely, the requests, including the initial
one [4] [5], need to happen over a secure connection (such as SSL). Once
that connection is established, then the requests need to continue to happen
over that security association if you're going to assume that identity
remains correct. That is, you can only assume the WebID user is "logged
in"/"authenticated" if/while every request originates over the HTTPS session
that the WebID was provided over.

 

If you're concerned about the desire to provide authn/authz via multiple
certificates, then it should be possible with TLS secure renegotiation [6].
Because each subsequent renegotiation is secured/protected by the previous
security establishment, a server could request multiple forms of
authentication by sending a HelloRequest, and in the new handshake,
requesting a different set of CAs in the CertificateRequest. Under such a
scenario, a user can prove their possession of a WebID private key in one
handshake and then, using that channel, prove their possession of a smart
card-based private key in a subsequent renegotiation handshake. While such a
scenario works at a TLS level, it will still likely require modifications to
user agents to fully support, as it requires careful thought about the user
experience, it has the benefit of accomplishing the same goal without being
WebID-specific.

 

Thanks,

Ryan

 

[1] http://www.w3.org/wiki/Foaf%2Bssl

[2]
https://www.blackhat.com/presentations/bh-usa-09/SOTIROV/BHUSA09-Sotirov-Att
ackExtSSL-PAPER.pdf

[3] http://en.wikipedia.org/wiki/Firesheep

[4] http://www.thoughtcrime.org/software/sslstrip/

[5] http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

[6] http://tools.ietf.org/html/rfc5746

 

From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of peter williams
Sent: Saturday, February 26, 2011 8:21 PM
To: public-xg-webid@w3.org
Subject: issue of initiating client auth for parallel SSL sessionids

 

Because of the history of FOAF+SSL, we tend to see demos in which folks goto
a site with http, and then use a login button - guarding a protected region
of the site (or protected modes).

 

I think we need something more general.

 

As one browsers page index.html, should there by a file X referenced (call
it ..crt), let the browser connect to its server using https (for that file
GET, only). Presumaly, if browser knows the mime type of .crt, it populates
the accept header with something suitable.

 

What I want is that the validation agent only kick off when it receives a
particular accept header ( induced by a containing page reference that
forced population of that accept header on the resource retrieval attempt).

 

Webid protocol would then run (and setup an SSL sessionid), but https would
not be protecting the connections to other page elements. As one moves
through a site, the SSL sessionid (due to webid protocol) can still guard
access using an authorization logic.

 

What this allows is both classical client authn (using smartcards, in DOD
land) and webid client authn. Now, it easy for the site to maintain 2
distinct SSL sessions, 1 with CA's controlling the selection of certs (which
hits the smartcard/eID) and 1 which does leverages webid.

 

Those SSL connections on the same site supervised by the smartcard/eID SSL
sessionid obviously leverage smartcard/eID's crypto,  doing SSL connections
that offer channel encryption using the *assured* crypto of the card (and
applying CA-based certg chaining authn .merely to protect the channel's
encryption SA). 

 

Those SSL connections on the same site supervised by the webid SSL sessionid
are distinct, influencing "login" authentication and "web sessions" -
driving an authorization engine (perhaps based on federated social network
conceptions)
Received on Sunday, 27 February 2011 22:11:46 UTC