2013-12-13 IRC conversation

_hc any thoughts on the validation order? pin --> tofu vs. tofu --> pin

_hc sounds like you got the CN=IP stuff figured out too :-D

pd0x Yup! Without having to do anything scary like implement my own hostname validation

pd0x I think that pin's should override tofu

_hc what do you use as the CN then?

pd0x the CN is still the IP (to make browsers happy). I had to add a SubjectAltName extension to the cert that also has the IP

_hc right, the grand plan we discussed pin --> tofu --> CA --> prompt

pd0x You can specify an IP type for the SAN and that was enough to make things happy

_hc does MTM/tofu check the cert or the key?

pd0x hc I'm looking at the code now. It checks whether the Certificate is in the MTM keystore to decide if it's seen it before.

pd0x So it's based on the whole cert (which matches what I see with Kerplapp)

_hc but the pinning is based on the key?

pd0x if your IP changes the Kerplapp keypair will be the same but the cert will be regenerated with the new CN & SAN

pd0x and MTM prompts twice

pd0x Yes, pinning is based on the key

pd0x So if you pinned the Kerplapp keypair it wouldn't prompt for any of the certs, despite IP changes

_hc even though it checks MTM then pinning?

pd0x Yah, MTM will say "Do I have this cert in my keystore?" the answer will be no if the IP changed, then it will go to Pinning trust manager which will say "Ah, I have a pin for the SPKI on this cert" and it will work transparently

_hc I see

pd0x hmm, so it's really tofu -> pin -> CA -> prompt I suppose

pd0x since if tofu hsa a memory of the cert it'll accept it before the pin

pd0x I can't decide if that's a problem or not

pd0x the cert memory is more specific than the pin (in that it trusts an exact certificate memory and not any cert with the right SPKI)

pd0x and in theory if there was a pin appropriate for the memorized cert it would have used that on first decision and not the memorizing trust manager

pd0x so there should never BE a stored TOFU'd memory for a cert that we knew a pin for

pd0x because the Pinning manager will OK the cert before prompt to memorize

_hc I think the grand plan would be* pin-cert --> tofu-cert --> pin-key --> tofu-key --> CA --> prompt

_hc so what you added to fdroid is a version of that with pin-cert and tofu-key removed

_hc or maybe the tofu-key step is pointless

pd0x I'm not sure it buys much and will be a complicated thing to explain in a prompt to a user

pd0x "Trust the key or trust the certificate?"

_hc tofu-key might make it too complicated

pd0x Do you think we need pin-cert either? That's basically the same as tofu-cert except it allows for preloading the trust

pd0x and we can already preload the trust by key instead of cert

_hc I think pin-cert would be useful

pd0x using AndroidPinning

_hc but lots of people are lazy about https keys, because they don't really matter that much in the CA model

pd0x You think there are cases where we want to pin to a very precise cert and not the pub key?

_hc in the CA model, the signed cert is what's important

pd0x I see pins as things you mostly ship statically with a build and so you want them to be flexible enough to live through standard SSL lifecycle stuff like renewing a cert with the same keypair but a new expiry

_hc I think that people should only pin the key if they know that means they have to treat the key in a full paranoid way

_hc yes, that's true

pd0x I think we're on the right path anyway :-) maybe we should try to get this workflow merged before we add more complication to justify

_hc pin-cert means you can be lazier about the signing key, but have to be good about client/cert/pin updates

pd0x yeah, it's a trade-off

_hc pin-key means you can be lazy about cert/client updates, but have to good about protecting the ky

pd0x but you need to be good about protecting the key if you want to be able to trust the cert pin too

_hc but since pins are done by devs, and affect the dev mostly, I think we can have both in the framework, and have the tradeoffs documened

pd0x if I can steal the private key I can use the pinned cert just as easily as I can generate a new cert with the same key

_hc if someone gets the key, they can't easily get the cert they generate also signed by the CA

pd0x they don't need to though

_hc but if there is no CA in the picture, and everything that comes from that key is trusted, then the key becomes everthing

pd0x with the private key they can offer the certificate you already got signed & prove knowledge of the corresponding priv key

pd0x there isn't a need to get another cert generated/signed

pd0x if the priv key is compromised it doesn't matter if you pinned the cert or the pub key

pd0x You're equally hosed

_hc but that cert would only work for the pre-registreed domains

pd0x that's true

_hc so you need to either pwn the key and server, which are the same thing, or pwn the key and CA

pd0x hmm

pd0x or pwn the key & MITM?

_hc if you get the server, the key is on that server, and you could get the pw from RAM

pd0x you just need to get in the path of traffic from alice to bob and can use your stolen private key & the public cert signed by the CA to transparently MITM

_hc unless the server has the key on a smartcard

_hc then tey can get the pin but not the private key

pd0x hmmmmmmmmmmm

_hc hmm

_hc so if you have the private key, you can MITM? how would that work? the cert validation would fail

pd0x Why would it?

_hc as far as I understand it, HTTPS ensures you're only talking to the host that's specified in the cert

pd0x Alice attempts to connect to https://guardianproject.org/fdroid/repo and I MITM a response that offers the valid CA signed cert that the real repo would use. I have the private key that corrsponds to the public key in the certificate so I can perform the standard handshakes and everything will proceed identically to the real host

_hc if you have the private key, I suppose you could decrypt the traffic, but not inject

pd0x it ensures the hostname you connect to matches the one in the cert

pd0x Maybe I'm wrong and missing something fundamental? Haven't had much coffee today lol

*13:20

_hc so if you have control of the client's DNS and you have the server's private key, then you can MITM

pd0x I don't think you need control of the client DNS. That would let you change things so Alice connects directly to Mallory instead of Bob. I think you could also do this by being able to manipulate traffic between Alice and Bob

_hc if you have access to the traffic, you could modify the traffic I suppose

pd0x Alice detects that they are talking directly to Bob and there isn't a Mallory in between on the basis of the HTTPS certificate

pd0x with the private key corresponding to that certificate's public key you can provide Alice all the same assurances they are talking to Bob

pd0x You effectively ARE Bob with possession of Bob's private key

_hc except for the CA sig

pd0x which is on the certificate that you provide

pd0x You can take the byte for byte identical certificate chain offered by the real Bob and provide it as your own

_hc a new cert, or the original one

pd0x What prevents you from doing that normally is that you need to also have possession of the private key to use it in SSL negotiation

_hc to do that, you'd have to change the clients mapping of hostname to IP

pd0x not if you're injecting traffic in the conversation between Alice and Bob's IP

_hc yes, if you have the server private key, and router-level access to their traffic, you could modify the traffic

_hc without changing the IP

pd0x Right, that's what I'm saying

pd0x and pinning to the whole cert, or the public key doesn't change the outcome

_hc I don't know if I'd call that a MITM since there is no redirection

pd0x fair

pd0x have I convinced you that adding cert-pinning isn't a meaningful addition?

_hc yeah, pinning certs would give only a little bit of extra protection at a higher risk of usability penalty

_hc pinning certs would help with the situation where someone got the private key, but didn't pwn the server

_hc so I guess its something like tofu-cert --> pin-key --> CA --> prompt

_hc but then the question is* do you tofu the cert after its been verified by pin-key?

_hc probably not

pd0x Nope

_hc then it shouldn't it be pin-key --> tofu-cert --> CA --> prompt

_hc or maybe even* pin-key --> tofu-key --> tofu-cert --> CA --> prompt, with tofu-key being an "advanced option"

_hc for kerplapp, we'll need tofu-key

_hc but my guess is that most apps will want to tofu-cert

pd0x that's going to take some patches to the Memorizing Trust Manager

_hc Ge0rG was open to that

_hc I think the idea was to start with AndroidPinning and MTM, and make a new lib

pd0x that makes sense

_hc I guess the last question is whether to tofu-key, tofu-cert, or both

Also available in: PDF HTML TXT