Re: [websec] I-D Action: draft-nir-websec-extended-origin-00.txt

2012-03-04 Thread Yoav Nir 
Hi Tobias,

Replies inline.

On Mar 3, 2012, at 6:07 PM, Tobias Gondrom wrote:

 Hello Yoav,
 
 thank you for the interesting draft.
 
 hat=individual
 
 I have a few points as feedback:
 - the 3-tupel of origin consists of real parameters (protocol, URL, 
 port), while the introduction of the 4th tupel feels like an artificial 
 parameter extension as it is not mapped to anything visible to the 
 client and in fact will be spliced by the middle-server (vpn server). 
 This makes me very hesitant, whether this would be a good idea.

As far as the client is concerned, there is only one server. If that server 
does not give any hints to the client, it's going to treat all these different 
resources as belonging to the same origin. So it does map to something the 
server sends.

 - As Adam mentioned that there will be migration problems.
 At the moment all browsers and other systems operate on the SOP with 
 3-tupel to compare for identity. It will be difficult (read: near 
 impossible) to enforce that all deployed systems out there shall from 
 now on be compliant with a 4-tupel and no longer assume identity of two 
 sites when only the first three parameters are equal.
 
 So, although I agree that economic reasons are absolutely viable reasons 
 for such an idea, I have concerns that this draft is only a workaround 
 for certain closed areas (i.e. where a company can basically enforce 
 that all accessing clients are in fact updated using such a 4-tupel 
 policy) but will create severe consistency issues in the Internet where 
 you would then see a mix of 3-tupel and 4-tupel clients, with the risk 
 of messing up the predictability of handling of SOP.

Actually, SSL VPNs are deployed where the company has no control over the 
clients. Sure you can enforce that users only use one kind of browser, but 
typically SSL VPNs are deployed so as to support any type of client, from 
phones to desktop. Companies that have that level of control tend to equip 
their employees with laptops that run IPsec VPNs. 

However, these SSL VPN portals exist today, and hide multiple servers behind a 
single hostname and port. Typically these will be mostly internal servers with 
a few external ones. For example, our deployment has the mail server (OWA), the 
internal Wiki, The automated build system, the SAP web application, and the web 
application of an external service provider that delivers lunch. These are not 
just random sites on the Internet, but specific servers that the administrator 
has chosen. The way these are deployed now, the lunch service provider can 
steal the cookies from the mail server, or script it. Having the SSL VPN server 
provide this extra information might help security (if the browsers use that 
information). It won't make it worse.

 Maybe a question regarding the use cases:
 As in general, systems use sub-domains for such purpose (as explained by 
 you and James), I am wondering whether there are other scenarios (beyond 
 VPN) that may need this 4th origin parameter?

I guess any HTTP reverse proxy may hide multiple servers behind it. Reverse 
proxies are used for caching, load balancing, access control to web 
application. Even CDNIs are a type of reverse proxy. I believe that SSL VPNs 
are a little different. The other types of reverse proxy are typically 
installed and maintained by experts. SSL VPNs are installed and maintained by 
people whose knowledge of networking can range from NOC team material to the 
CEOs nephew who's really good with computers. So I think all reverse proxies 
could benefit from a 4th origin parameter, but I think most of the others can 
work around that need, while some SSL VPN customers can't.

Yoav

___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: [websec] I-D Action: draft-nir-websec-extended-origin-00.txt

2012-02-26 Thread Adam Barth 
2012/2/26 Yoav Nir y...@checkpoint.com:

 On Feb 24, 2012, at 1:35 AM, Manger, James H wrote:

 The scheme that you propose (a.sslvpn.example.com, b.sslvpn.example.com,
 etc.) really does work. In fact, the product that my company makes offers
 this as an option.

 Good to hear.

 Sadly, our customers don't like it, hence the other option.  Using
 multiple FQDNs requires them to either buy multiple certificates, or a
 wildcard certificate, both options are more expensive. Additionally this
 requires them to add multiple DNS records, which for some reason they find
 cumbersome.

 Not sure that that is a good enough reason to introduce extended origins.


 I checked the products of some of our competitors, and they seem to also
 offer both options. IMHO the cost and complexity of deployment for the user
 are valid considerations for engineering.

 In this case, the cost is incurred not because of technical necessity but
 because of the way browsers work with commercial CAs - that wildcard
 certificates are more expensive, and multiple certificates are also more
 expensive.  Regardless, the cost and complexity are real.

 I hope to have a -01 draft ready in time, which will address your other
 point.

 Thanks again for the review

Frankly, your proposal is very unlikely to be implemented.  The
engineering effort required to implement is quite large, if it's even
possible.  Consider, for example, that beyond just changing the
browser, you'd also need to change Flash, Java, and every other
plug-in that implements the same-origin policy.

In addition to that complexity, there are many assumptions in browsers
and in the software that surrounds browsers that origins are
determined by URL.  Your proposal breaks that assumption.

Adam
___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec

Re: [websec] I-D Action: draft-nir-websec-extended-origin-00.txt

2012-02-23 Thread Manger, James H 
 The scheme that you propose 
 (a.sslvpn.example.comhttp://a.sslvpn.example.com, 
 b.sslvpn.example.comhttp://b.sslvpn.example.com, etc.) really does work. In 
 fact, the product that my company makes offers this as an option.

Good to hear.

 Sadly, our customers don't like it, hence the other option.  Using multiple 
 FQDNs requires them to either buy multiple certificates, or a wildcard 
 certificate, both options are more expensive. Additionally this requires them 
 to add multiple DNS records, which for some reason they find cumbersome.

Not sure that that is a good enough reason to introduce extended origins.

 2] I think it would be better to serialize an extended-origin as an 
 additional sub-domain, not a fragment. The sub-domain could have a prefix so 
 it cannot (or is highly unlikely to) clash with a real sub-domain. Example:
 → GET https://sslvpn.example.com/xyz
 ← Extended-Origin: asdhgasghd
 → Origin: https://xb--asdhgasghd.sslvpn.example.com

 2) I don't see that it makes much of a difference. I can do it either way. 
 Can you explain what is the advantage of this over the pseudo-fragment format?

No big advantage. A pseudo-sub-domain hints at the better approach (using 
actual sub-domains). It matches the existing syntax (which probably simplifies 
some code).

--
James Manger
___
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec