On Fri, Apr 5, 2013 at 1:48 AM, Yoav Nir <[email protected]> wrote: > > On Apr 5, 2013, at 10:03 AM, Trevor Perrin <[email protected]> wrote: > >> On Fri, Mar 29, 2013 at 7:05 PM, Yoav Nir <[email protected]> wrote: >>> >>> Getting back to the subject of the thread, I still don't see the difference >>> for a site operator between being bricked for 60 days and being bricked for >>> a year. For an only retailer it's catastrophe either way. >> >> >> Hi Yoav, >> >> There are other things to consider when thinking about pin lifetimes: >> >> - Suppose a site foolishly sets a year-long pin to keys that will be >> expired in 6 months. A client who receives this pin and then visits >> the site 6 months later will perceive that the site is bricked for the >> next 6 months. > > True. At least in the case of certificates, there was some discussion of > capping the maximum noted age to the expiration time of the certificate for > that connection. This is not a complete solution, though, because there is > some period of time (perhaps 1-2 weeks) where the site operator has a new, > valid certificate, but the old one hasn't expired yet.
That also means that if a site uses short-lived or soon-to-expire certificates the pin lifetime could get badly truncated, so that's not a great idea. Anyways, expiration is just one way the above problem could happen. Imagine that you mistakenly set a year-long pin to CA keys that your CA is going to roll / phase-out in 6 months. Same problem. Capping pin lifetimes means less risk of this occurring. > A backup pin should work, as I believe the common practice would be to use > the backup pin in the following certificate request. And backup pins are > mandatory according to the draft. Backup pin don't solve this problem. Backup keys can be revoked / expired / rolled / lost like other keys. >> - Suppose a site has a year-long pin to a set of end-entity keys. >> Suppose these keys are compromised by a hacker. For the next year, >> the site will be unable to change keys to re-establish security >> without a risk of "bricking" the site for clients with the old pin. > > And that is why the draft now requires backup pins. At least, it's one reason. No, I'm describing the scenario where ALL your pinned keys, including "backup pins", were compromised. Maybe you were keeping all your pinned end-entity keys in an offline laptop which was stolen. Maybe you were pinning yourself exclusively to CAs operated by a single commercial entity (e.g. Symantec), and you lose trust in this entity. In these scenarios, you are "locked-in" and prevented from key changes during the pin lifetime. >> - Suppose you purchase a domain name. The previous owner may have >> set long-term pins, meaning the name is not fully usable until these >> expire. > > Yeah, that's bad. Even worse is if an attacker manages to get a CA to issue > them a valid certificate. Users now note pins that match the bad certificate, > and they can be blocked from going to the real site for some time. Yes that's what I'm describing. > HPKP protects against exactly this attack No, HPKP or any dynamic-pinning method *CAUSES* this attack, by allowing the previous owner of any domain name to acquire a certificate, then use it to set pins. > I think it's clear that HPKP (much like HSTS) is a gun with which site > operators can easily shoot themselves (or their users) in the foot. The risks and issues around key-pinning lifetimes are completely different from HSTS. HSTS cannot make it impossible for a site to be reached, or lock you into insecure keys. > There has to be a certain level of competence and responsibility to make use > of these mechanisms. They should not be used lightly. Please note that dynamic pinning creates risks for the entire web by virtue of existing. If 1/1000 websites "opt-in" to a key pinning mechanism, the remaining 999 are still exposed to the risk that their DNS name could be hijacked and a bad pin could be set. And anyone who purchases or acquires a domain name is still exposed to the risk that it could come with an unpleasant "pinning" surprise. >OTOH I don't think we should bind the hands of administrators who do choose to >use it. Long-lived pins are *more* likely to bind the hands of administrators than short-lived, which is why I think pin lifetimes should be strictly limited. Trevor _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
