Network Working Group M. Miller Internet-Draft Cisco Systems, Inc. Intended status: Informational January 23, 2014 Expires: July 27, 2014 Applying Unauthenticated Transport Layer Security (TLS) to Hypertext Transport Protocol (HTTP) Connections draft-miller-http-unauth-tls-00 Abstract With the pervasiveness of passive monitoring and ubiquity of unencrypted Hypertext Transport Protocol (HTTP), it is desirable to mitigate passive monitoring without causing an undue burden on HTTP user agents and servers. This document describes the rationale and process for using Transport Layer Security (TLS) in an unauthenticated manner for exchanging HTTP messages. The application of unauthenticated TLS - particularly when Perfect Forward Secrecy (PFS) algorithms are used - change monitoring from being a passive attack into an active attack. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on July 27, 2014. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents Miller Expires July 27, 2014 [Page 1] Internet-Draft I-D January 2014 carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 2. How it Works . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Forward Secrecy . . . . . . . . . . . . . . . . . . . . . 3 2.2. Upgrade Failure . . . . . . . . . . . . . . . . . . . . . 3 2.3. Caching Upgrade Results . . . . . . . . . . . . . . . . . 4 3. Security Considerations . . . . . . . . . . . . . . . . . . . 4 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 5.1. Normative References . . . . . . . . . . . . . . . . . . 4 5.2. Informative References . . . . . . . . . . . . . . . . . 5 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction The exchange of information through the use of Hypertext Transport Protocol (HTTP) [RFC2616] is widespread, with the vast majority of such traffic exchanged in the clear. As described in [I-D.farrell-perpass-attack], passive monitoring is seen as an attack on the privacy of users and organizations. The ubiquity of unencrypted HTTP coupled with the pervasiveness of passive monitoring means that the vast majority of HTTP traffic can be (and often is) captured without the knowledge or consent of the primary parties - namely the HTTP user agent and HTTP server - and with negligible effort on the part of the passive monitor. Therefore, it is desirable to apply apply encryption to the HTTP exchange in the form of Transport Level Security (TLS) [RFC5246]. Traditionally, TLS has only been seen as useful if at least the server is authenticated in the handshake, and that authentication is done almost exclusively using PKIX certificates. However, using TLS in an unauthenticated manner can mitigate passive monitoring attacks by requiring the attacker to act as a man-in-the-middle, thereby increasing the effort passive monitoring requires to be effective. Forgoing TLS authentication eliminates the burden of obtaining properly issued PKIX certificates, reducing the effort it takes to deploy an encrypted HTTP server. 1.1. Terminology Miller Expires July 27, 2014 [Page 2] Internet-Draft I-D January 2014 In this document, the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in BCP 14, RFC 2119 [RFC2119]. This document reuses HTTP terminology from [RFC2616], [RFC2817], and [RFC2818]. It reuses PKIX terminology from [RFC5280] and [RFC6125]. 2. How it Works When given a "http:" URI, the user agent attempts to establish a TLS connection to the indicated origin. The exact processes used to upgrade the connection to TLS is out of scope for this document; it could use the Upgrade process documented in [RFC2817], or attempt to connect to the server on the IANA-registered port for HTTP over TLS (HTTPS) if the requested origin uses the IANA-registered port for HTTP. During the TLS establishment, the user agent and server ignore any certificate verification errors it might encounter with regards to naming (e.g., self-signed certificate, or none of the certificate identifiers not match the input URL). Once established, the user agent and server then exchange HTTP messages as if the connection were unencrypted. The use of HTTP basic authentication is still NOT RECOMMENDED, and user agents MUST NOT indicate in any way that the HTTP connection is protected (e.g., display a "locked" or "protected" indicator with the HTTP resource). 2.1. Forward Secrecy The benefits of unauthenticated TLS are only realized if it is less costly for an attacker to actively interject itself into the TLS session than to passively collect all traffic and later compromise the TLS handshakes. Forward secrecy prevents a passive monitor from decrypting the TLS session if it has compromised the server's private key. Software MUST use algorithms that provide perfect forward secrecy (e.g., TLS_DHE, TLS_ECDHE, or TLS_DH_anon) when relying on unauthenticated TLS. 2.2. Upgrade Failure If the TLS connection could not be established, user agents need to determine whether to continue based on their own policies. For instance, a user agent might (among other possibilities): 1. prompt the user that communications with the server can be monitored and asking whether the user wishes to proceed anyway; Miller Expires July 27, 2014 [Page 3] Internet-Draft I-D January 2014 2. abandon the connection altogether, informing the user that privacy protection could not be applied to the connection; or 3. silently continue without any encryption. Note this can effectively lead to downgrade attacks. 2.3. Caching Upgrade Results A user agent SHOULD cache the success or failure to establish a TLS connection with a given origin. How much information about a successful (or failed) attempt at establishing a TLS connection is implementation and deployment specific, but needs to at least indicate if unauthenticated TLS was used. This cached information can then used for subsequent connections. If a previous upgrade was successful, the user agent can decide to fail if a subsequent TLS establishment fails. If a previous upgrade used a specific certificate chain, the user agent can fail if a different chain is presented. 3. Security Considerations This entire document discusses security. 4. IANA Considerations This document has no actions for IANA. 5. References 5.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008. [RFC6125] Saint-Andre, P. and J. Hodges, "Representation and Verification of Domain-Based Application Service Identity Miller Expires July 27, 2014 [Page 4] Internet-Draft I-D January 2014 within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)", RFC 6125, March 2011. 5.2. Informative References [I-D.farrell-perpass-attack] Farrell, S. and H. Tschofenig, "Pervasive Monitoring is an Attack", draft-farrell-perpass-attack-03 (work in progress), December 2013. [RFC2817] Khare, R. and S. Lawrence, "Upgrading to TLS Within HTTP/ 1.1", RFC 2817, May 2000. [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008. Author's Address Matthew Miller Cisco Systems, Inc. Email: mamille2@cisco.com Miller Expires July 27, 2014 [Page 5]