On 09/13/2011 04:24 PM, davidills...@gmail.com wrote:
On 13 Sep 2011, at 21:35, Chris Palmer wrote:
<snip>
sites; small sites may have to choose no pinning or potentially
bricking their site (up to the maxAge window). This is not worse than
the status quo."""
What about sites which don't currently use https at all? The DNS records
for theregister.co.uk <http://theregister.co.uk> were redirected the
other week. An attacker who could do that could redirect to https, then
set a very long max-age pin. At that point, they'd be dependent on the
browser vendor unpinning affected users, right?
Wouldn't they have to acquire a valid cert first? Not saying that's out
of the realm of possibility, but...
I think you have a point. The whole premise of this is that there are
circumstances under which some attacker can obtain such a cert. If this
feature translates to a risk of perma-DoS for the (100.0 - epsilon)% of
sites that don't adopt it immediately then it may be more dangerous than
it's worth.
Consider an adversarial country like, say, Bananastan. They have an ISP
or three, their own CA, and of course, no sense of humor.
They may one day be subject to some criticisms in the online press which
they perceive as unfair. Or maybe something on a video sharing site is
contrary to their customs and traditions.
So their local judge orders their local ISP to block the offending media
provider. The ISP does this by advertising more specific BGP routes for
the video site's netblocks(1).
Being mostly streaming data of little consequence, the video site has
not yet set up HSTS or even has full support for HTTPS (2).
The ISP also sets the country's DNS resolvers to reply to name requests
for the site with an IP address of a webserver where citizens can
receive educational information(3).
To be sure they get everybody, they do something I didn't know could be
done with DNS (4).
In order to save the the misguided users that accidentally used a
subversive https: bookmark, the court orders the local CA to "do what it
takes to make it work"(5).
And just to be sure the message sticks, they set a long term HSTS pin on
this cert and/or their CA (6).
Hilarity ensues.
- Marsh
1. YouTube - Pakistan - 2008
http://www.circleid.com/posts/82258_pakistan_hijacks_youtube_closer_look
http://www.ripe.net/internet-coordination/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study
2. http://youtube.com/
3.
http://web.archive.org/web/20060418030141/http://chinadigitaltimes.net/2006/01/image_of_internet_police_jingjing_and_chacha_online_hon.php
4. China - 2010
https://lists.dns-oarc.net/pipermail/dns-operations/2010-March/005260.html
http://www.zdnet.co.uk/news/networking/2010/10/11/mystery-of-web-traffic-redirect-to-china-remains-unsolved-40090476/
5. [...]
6. Why wouldn't this attack work?
_______________________________________________
websec mailing list
websec@ietf.org
https://www.ietf.org/mailman/listinfo/websec