New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Alt-Svc and Cert Pinning #76

Closed
MikeBishop opened this Issue May 28, 2015 · 5 comments

Comments

Projects
None yet
4 participants
@MikeBishop
Contributor

MikeBishop commented May 28, 2015

If http://www.example.com sends Alt-Svc pointing to evil.haxor.bg showing a cert from a hacked CA for the right origin, we don’t want to trust it. Cert pinning would mitigate this for https:// origins, and we could go a step further for https:// origins without pinning and validate that the cert on the alternate resembles the cert we last saw on the origin (identical cert, same issuer, same issuer country, etc.).

However, for http:// origins, we're pretty vulnerable. That scenario looks a lot like 9.2 again for http:// origins – if you’re MITM’d once, you can be MITM’d for as long as you trust the fishy cert.

@martinthomson

This comment has been minimized.

Show comment
Hide comment
@martinthomson

martinthomson May 28, 2015

Contributor

The alternative needs to present credentials that are valid. That means that if the original requires pinning, then the alternative needs to present a certificate that is valid against the pin set.

Requiring that an alternative present an identical certificate would make this considerably less attractive.

Contributor

martinthomson commented May 28, 2015

The alternative needs to present credentials that are valid. That means that if the original requires pinning, then the alternative needs to present a certificate that is valid against the pin set.

Requiring that an alternative present an identical certificate would make this considerably less attractive.

@reschke reschke added the alt-svc label May 30, 2015

@mnot mnot added the design label Jun 1, 2015

@mnot mnot removed the design label Jun 8, 2015

@mnot

This comment has been minimized.

Show comment
Hide comment
@mnot

mnot Jun 8, 2015

Member

Mike, is this really an issue, or just a question? Do you have proposed text?

Member

mnot commented Jun 8, 2015

Mike, is this really an issue, or just a question? Do you have proposed text?

@MikeBishop

This comment has been minimized.

Show comment
Hide comment
@MikeBishop

MikeBishop Jun 8, 2015

Contributor

This is a concern that came up in our internal discussions. Reasonable text could range anywhere from general guidance that implementations might use caution in which certificates they accept to specific requirements on the cert, depending on the consensus of the rest of the group.

More generally, I think this is something a cautious implementation might do anyway, and if it's at least mentioned in the spec, origin operators will be more prepared for it than if it's strictly an implementation "quirk."

Contributor

MikeBishop commented Jun 8, 2015

This is a concern that came up in our internal discussions. Reasonable text could range anywhere from general guidance that implementations might use caution in which certificates they accept to specific requirements on the cert, depending on the consensus of the rest of the group.

More generally, I think this is something a cautious implementation might do anyway, and if it's at least mentioned in the spec, origin operators will be more prepared for it than if it's strictly an implementation "quirk."

@mnot mnot added the design label Jul 20, 2015

@mnot

This comment has been minimized.

Show comment
Hide comment
@mnot

mnot Jul 21, 2015

Member

Discussed in Prague; need to add security considerations text explaining the potential attack and possible mitigations.

Member

mnot commented Jul 21, 2015

Discussed in Prague; need to add security considerations text explaining the potential attack and possible mitigations.

@mnot mnot added the editor-ready label Aug 24, 2015

@mnot

This comment has been minimized.

Show comment
Hide comment
@mnot

mnot Oct 5, 2015

Member

@MikeBishop, perhaps you could suggest some text?

Member

mnot commented Oct 5, 2015

@MikeBishop, perhaps you could suggest some text?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment