On Dec 12, 2011, at 5:06 PM, Paul Hoffman wrote: > > On Dec 12, 2011, at 6:57 AM, Yoav Nir wrote: > >> Section 2.3 does say that pins must only be noted if they come over an >> error-free HTTPS connection, where the chain contains the pinned SPKI. So >> the MITM would have to be able to take over the DNS (at least for a while) >> as in the attack described by David on 11-Dec. > > I don't agree that the MITM must control the DNS for this attack to work. As > long as the MITM can intercept the TLS handshake, and the client isn't doing > OCSP (or the MITM intercepts that too), using a rogue cert works; thus the > rogue pinning works as well.
The rogue cert works only if it validates. So the attacker will have to have compromised the CA as well. Besides, one could argue that using a certificate without OCSP or checking the CRL is not "error-free", but that would have to be clarified. > >> Maybe we can mitigate this with a version of this header (or another one) >> that says "no pins for the next x seconds" > > That still doesn't deal with the site that hears about the pinning header > after the MITM does. Agree, but it allows me to make my site safe from rogue pinning attacks now. > >> A year from now, "sha-256" is going to be ambiguous. Better to say >> "sha2-256". > > Good point, and one that might be made on the SAAG list as well. > _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
