Skip to main content

User Agent Connection Security
draft-steckbeck-ua-conn-sec-00

Document Type Active Internet-Draft (individual)
Author David Steckbeck
Last updated 2023-03-12
RFC stream Independent Submission
Intended RFC status Experimental
Formats
Stream ISE state Submission Received
Consensus boilerplate Unknown
Document shepherd (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-steckbeck-ua-conn-sec-00


Network Working Group                                       D. Steckbeck
Internet-Draft                                                      
Intended Status: Standards Track
Category: Experimental                                        March 2023

                    User Agent Connection Security
                  draft-steckbeck-ua-conn-sec-00.txt

Abstract

   The user agent to server transaction has many attack surfaces which
   have been defended by various recommendations such as Content 
   Security Policy. An attack vector that is currently exploited is the 
   open connection policy to first, second- and third-party resources.
   A breach of the origin website or other connected resource could 
   require the client to load resources from a malicious network. This 
   document provides a framework which allows authors to publish 
   authorized connectable second- and third-party resources that a user 
   agent should or must follow depending on configuration of that user 
   agent.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering 
   Task Force (IETF), its areas, and its working groups.  Note that 
   other groups may also distribute working documents as 
   Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

   This Internet-Draft will expire on September 13 2023.

Copyright Notice

   Copyright (c) 2023 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction
      1.1  Terminology
      1.2  Applicability
   2  Conventions used in this document
      2.1  DNS Entries published
         2.1.1  Single site and domain example
         2.1.2  Multiple sites and domain example
         2.1.3  Wildcards
   3  Security Considerations
   4  IANA Considerations
   5  References
      5.1  Normative References
   6  Acknowledgments

1  Introduction

   The traditional website model for distributing information has been 
   one of open resource connections. Website authors are in control as
   to how the published resource connections draw upon other resources.

   This model leaves end-users and administrators who require higher
   connection security to either trust the site author implicitly or 
   profile a website and provide connection security through other 
   means.

   Establishing a trust model where all connections are approved by both
   parties, is an additional step in providing a model where users and
   administrators can be assured the website they are using is making
   author-verified connections to second- and third-parties.

   This document covers an implementation for website authors to
   indicate a validation method of second- and third-party resources 
   and a strict or compatible model for browser owners to enforce 
   depending on their security requirements.

1.1 Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   The term "researcher" corresponds to the terms "finder" and
   "reporter" in [ISO.29147.2018] and [CERT.CVD].  The term
   "organization" corresponds to the term "vendor" in [ISO.29147.2018]
   and [CERT.CVD].

1.2 Applicability

   This document covers a method of actions user-agents and website
   authors should implement to enhance security. 

2  Conventions used in this document

   First-party connections are those created to the same host listed
   in the URL.

   Second-party connections are those created to other hosts using the
   same top level domain.

   Third-party connections are those to a host with a different host
   listed in the URL.

2.1 DNS Entries published

   The DNS entry is a TXT record which was proposed in [RFC1464]. The
   format of the record begins with uacs=1; and an optional host= 
   identifier, if the domain serves multiple hostnames which require
   user-agent connection security. 

   Every semi-colon separated entry after it must be a [RFC1123]
   and [RFC4343] formatted host identifier.

   Length

2.1.1 Single site and domain example

   An example record for a single website hosted from a domain:

   uacs=1;host.example1.com;*.example2.com;zzz.example-cloud-network.net

2.1.2 Multiple sites and domain example

   If a domain serves multiple websites requiring user-agent connection
   security, these records MUST be broken up into separate TXT records
   with an identifying host tag:

   uacs=1;host=website1.example.com;host.example1.com;*.example2.com
   uacs=1;host=website2.example.com;host.example1.com;*.example2.com

   Hostname entries are separated by semicolons and no spaces. Where
   characters have case representations, all characters should be in
   lower case versions.

2.1.3 Wildcards

   Wildcards are allowed to reduce record sizes and client processing
   time, for example a website hosted at example1.com can include
   resources from *.example2.com in order to accommodate changes
   example2.com may publish to their service.

   The wildcard MUST be interpreted as meaning 0 or more characters. 

   Caution should be used when using wildcards with services that
   publish random hostnames for customers since site authors may not
   intend for data from other customers to be referenced. For example,
   a content distribution network may create content access URIs such
   as 123456.example.net for every customer. A wildcard against this
   network would grant resource load opportunities for any non-related
   customers of that service.

   Only one uacs= and one host= are allowed per TXT record.

2.2 User-Agent Requests

   User-Agents SHOULD include the TXT record request at the time of the
   DNS request to resolve the host name, should subsequently send the
   request to retrieve the uacs= TXT record prior to processing any
   further connection requests other than the initial resource request.

2.3 Caching

   User-Agents SHOULD follow their normal caching rules for the TXT
   records request.

2.4 User-Agent Enforcement Modes

   Compatible, Compliant, Strict

2.4.1 Compatible mode

   Compatible mode is included as a transition option. This mode
   indicates the user-agent SHOULD NOT enforce any uacs entries.

2.4.2 Compliant mode

   Compliant mode indicates the user-agent MUST process and follow the
   rules identified by a website author.

2.4.3 Strict mode

   Strict mode indicates the user-agent should not connect to any
   resources beyond the domain.

2.5 Record Size

   Published records SHOULD be limited to fit within the 512 octet
   limit. If not, it could exceed the DNS protocol limit. For further
   details on the technical details, please see [RFC7208] section 3.4
   entitled Record Size and [RFC2181] section 11 entitled Name Syntax.
   It is RECOMMENDED to follow these directions.

3  Security Considerations

3.1 Sensible initial defaults

   The initial compatible user agent mode was chosen as a lead in order
   to provide a path for adoption due to this RFC requiring changes
   from both website operators and developers of user-agents.

3.2 DNS TXT versus a text file

   The DNS TXT entry was chosen after working through a model with a
   plain text file, similar to security.txt or a robots.txt file. After
   consideration, one of the defensive tactics for UACS is to protect a
   client against a server compromise attack in which a text file could
   be replaced by an attacker. Having the approved connections list
   separate provides an additional layer of defense.

3.3 Misconfigurations

   It is possible to configure the connection host entries too
   inclusively thereby allowing connections to unintended hosts and
   degrading the security posture this RFC is proposing.

3.4 Profiling

   A profile-building model of security is prone to functional deferred
   deprecation upon website updates. For organizations managing security
   profiles, not every security administrator is willing to trust every
   website vendor implicitly, and not every website vendor openly 
   discloses every third-party resource connection. 

   Attacks that leverage injectionable payloads from second- and
   third-party connections require an open connection to an
   attacker-controlled resource. Limiting attacks with connection
   restrictions such as this RFC reduces the available options an
   attacker may use and improves the security posture of the user agent.

4  IANA Considerations

   This draft does not require any IANA action.

5  References

5.1  Normative References

   [RFC1123] Braden, R., "Requirements for Internet Hosts - Application 
             and Support",  RFC 1123, October 1989

   [RFC1464] Rosenbaum, R., "Using the Domain Name System To Store
             Arbitrary String Attributes", RFC 1464,
             DOI 10.17487/RFC1464, May 1993,
             <https://www.rfc-editor.org/rfc/rfc1464>.

   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
             Requirement Levels", BCP 14, RFC 2119,
             DOI 10.17487/RFC2119, March 1997,
             <https://www.rfc-editor.org/info/rfc2119>.

   [RFC2181] Elz, R., "Clarifications to the DNS Specification",  
             RFC 2181, July 1997

   [RFC4343] Eastlake 3rd, D., "Domain Name System (DNS) Case
             Insensitivity Clarification",  RFC 4343, January 2006

   [RFC7208]  Kitterman, S., "Sender Policy Framework (SPF) for
              Authorizing Use of Domains in Email, Version 1", RFC 7208,
              DOI 10.17487/RFC7208, April 2014,
              <https://www.rfc-editor.org/info/rfc7208>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

6  Acknowledgments

   The author would like to thank Steven Hart, Michael J. Cataletto,
   Yulia Slesavara and the many other team members who contributed
   suggestions and edits to help complete this document.
 
   This document was prepared using 2-Word-v2.0.template.dot.

Authors' Addresses

   David Steckbeck
   Email: dsteckbeck@gatech.edu