Re: [TLS] TLS or HTTP issue?

[Bruno Harbulot <Bruno.Harbulot at manchester.ac.uk>]

Hello,

Nikos Mavrogiannopoulos wrote:
> Eric Rescorla wrote:
> > TLS WG members will want to check out this announcement of a
> > new attack on the TLS renegotiation logic. See here:
> >
> > http://www.extendedsubset.com/
> >
> > The high-level summary is that the attacker negotiates TLS with the
> > server and then subsequently proxies the client's negotiation *over*
> > that channel. This allows the attacker to inject arbitrary content of
> > their choice in front of data sent from the TLS client to the TLS
> > server. This data will be treated by the server as if it came from the
> > client. Once the new handshake has finished, the attacker can't
> > do anything else useful.
>
>  I'll become a bit pedantic and note here that this isn't really a TLS
> issue. We have an initial server-authenticated only session and some
> renegotiation of parameters over it to authenticate the client. However
> TLS doesn't guarantee[0] that if the renegotiation is successful
> authenticating the client, then the data from the initial session were
> also by the same authenticated client.
>  Think for example a session that it is anonymous (DH). Why one should
> assume that commands over the anonymous connection are to be trusted if
> a successful renegotiation follows?
>
> So for me the issue is on HTTP's usage of the TLS protocol
> renegotiation. After a TLS renegotiation for authentication the previous
> command cache should have been cleared and reissued after negotiation.

I think you have a point, I'm not sure if it's HTTP as such that is to 
blame, rather the assumptions made by the frameworks implementing it.

Authentication via client-certificate in HTTPS has always been a bit at 
odds with the rest of the HTTP authentications schemes. HTTP has status 
codes for requiring authentication (401), but client-cert authentication 
doesn't fit well into this model. The need vs. want client-cert feature 
itself isn't handled particularly well by browsers. Requiring a 
client-cert (and closing the connection if one isn't presented) can be 
confusing to the user.

I think the problem comes from the fact that SSL/TLS is intended to 
behave transparently, like normal sockets, for the application using it, 
whereas this issue is clearly not the case when re-negotiation happens. 
Perhaps this should just be another special case handled by the 
application layer (the other special case I have in mind is the way 
closing the socket behaves slightly differently to normal sockets).

This attack could be prevented if the HTTP framework was notified when a 
renegotiation had happened and thus made aware that the command it just 
got may not have been made with the same credentials.
For example, this wouldn't be an issue if:
- the HTTP method sent just before the renegotiation was a safe method 
(GET/HEAD)
- the HTTP application was using safe methods correctly (no GET 
/page?action=delete for example)
- if the HTTP method isn't safe (POST, PUT, ...), then send a 401 status 
response. The problem here is that a 401 response status requires a 
challenge header according to the HTTP spec and there isn't one to 
require a client certificate; this being said, it should be possible to 
extend HTTP and have 'WWW-Authenticate: Transport' (or something 
similar) meaning that it's up to TLS to provide the required 
authentication information.


As you said, I also think handling this problem at the TLS level is 
cleaner since the assumption that TLS sockets behave transparently like 
normal sockets should still be valid in this case.


Best wishes,

Bruno.