Re: [TLS] Implementation survey: Client Certificate URL extension

To: Pasi.Eronen at nokia.com
Subject: Re: [TLS] Implementation survey: Client Certificate URL extension
From: Martin Rex <Martin.Rex at sap.com>
Date: Fri, 4 Apr 2008 14:53:39 +0200 (MEST)
Cc: tls at ietf.org
Delivered-to: ietfarch-tls-web-archive at core3.amsl.com
Delivered-to: tls at core3.amsl.com
In-reply-to: <1696498986EFEC4D9153717DA325CB7247EFE3 at vaebe104.NOE.Nokia.com> from "Pasi.Eronen at nokia.com" at Apr 4, 8 11:24:30 am
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: martin.rex at sap.com
Sender: tls-bounces at ietf.org

Pasi.Eronen at nokia.com wrote:
> 
> This vulnerability of Client Certificate URL is already described in
> the Security Considerations text in RFC 4366, so it isn't anything
> particularly new.
> 
> In the context of web browsing over TLS, it isn't really different
> than, say, the ability to include IMG URLs pointing to arbitrary hosts
> (not just the one the HTML page came from).

It is completely different!

The regular HTTP/HTML based attacks attack the client/browser.

The certificate extensions and the client-cert-URL extension for TLS
attack the server, and there is no "must visit a hostile website" involved
at all, the server is guaranteed to fall prey to every attack automatically
if it supports/implements such a feature (or "inherits" this feature
from the underlying middleware).

> 
> I can see that this could be more of a problem in other contexts:
> e.g., email clients don't usually fetch image URLs (since that would
> reveal that the address works, when the email was read, approximate
> network location of the client, etc.) -- but if they fetch URLs during
> S/MIME certification path validation, it would have roughly the same
> result.

For some firewalls it is sufficient to call a particular URL from
the inside (with parameters tacked at the end of the URL) in order
to open a hole that can be entered from the outside.

Generating advertising "clicks" might be another abuse. 

Being able to coerce a server to access an arbitrary URL from the
inside of his network is IMHO a pretty serious security problem.

-Martin
_______________________________________________
TLS mailing list
TLS at ietf.org
https://www.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Implementation survey: Client Certificate URL extension
  - From: Pasi.Eronen
- Re: [TLS] Implementation survey: Client Certificate URL extension
  - From: Nelson B Bolyard
- Re: [TLS] Implementation survey: Client Certificate URL extension
  - From: Peter Gutmann

References:
- Re: [TLS] Implementation survey: Client Certificate URL extension
  - From: Pasi.Eronen

Prev by Date: Re: [TLS] Implementation survey: Client Certificate URL extension
Next by Date: Re: [TLS] Implementation survey: Client Certificate URL extension
Previous by thread: Re: [TLS] Implementation survey: Client Certificate URL extension
Next by thread: Re: [TLS] Implementation survey: Client Certificate URL extension
Index(es):
- Date
- Thread

Re: [TLS] Implementation survey: Client Certificate URL extension

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.