The IAB agreed to add a tech chat on 21 January 2014 with Hannes Tschofenig on smart objects. Mary Barnes will follow up to invite Hannes, and Cindy Morgan will update the IAB internal calendar.
The IAB approved the minutes of the 7 January 2014 IAB Business Meeting.
Joseph Bonneau joined the IAB to discuss HSTS/key pinning and Advanced HTTPS features.
Slides similar to the ones presented can be found here.
Joseph Bonneau and his graduate student Michael Kranch (also attending) presented research that builds on work done at Google about how secure HTTP is in practice. Joseph reported that there are current crypto flaws in TLS relating to HTTPS and the interface between HTTP and TLS or SSL.
Joseph Bonneau discussed how TLS is faster than certificates for security. He also mentioned that 50% of sites don’t use security via HTTPS at all, and others lack the forward secrecy of private keys. At the HTTPS level, the problems are HTTPS stripping and rogue certificates. Some people have tried to deploy HTTPS but ended up downgrading due to incorrect deployment.
Joseph Bonneau first discussed HTTPS stripping. If a browser tries to access a domain over HTTP, but the domain wants to use HTTPS, there is an automatic redirect. An attacker can use that redirect to change the request, which the user may not notice. HSTS (HTTP Strict Transport Security) is the fix for this type of attack. The Firefox and Chrome browsers have included HSTS in the code, but it does not always extend to subdomains. Joseph mentioned that if a browser successfully connects to the server with HTTPS, the browser will cache that policy. The connection is vulnerable to attack only at initial contact.
Dave Thaler asked if anyone was looking at solving this issue using DNS. Joseph Bonneau replied that it was possibly being investigated in DANE, but he is not certain if the issue is actively being worked on. Eliot Lear mentioned that DANE has a dependency on DNSSEC, although some question how strong that dependency is. Ted Hardie replied that with DNSSEC it isn’t clear whether validation is occurring on the client side or the server side. Brian Trammell asked if this was a bootstrapping mechanism that will disappear eventually. Joseph replied that it wasn’t clear, but only the first connection was vulnerable and most search engines and browsers were preloaded with HTTPS and HSTS.
Joseph Bonneau discussed the second problem, rogue certificates. If the user is trying to connect via HTTPS but an attacker has a valid certificate, they can see everything. Users wouldn’t notice the attack. The key pinning, not certificate pinning, works by setting up a policy for a list of pins interpreted as at least one of the key hashes for that domain. A user can pin to a key in their CA certificate. An attacker with a rogue certificate that cannot come up with a key pin would be rejected even if it is signed by a valid CA. A self-signed certificate would also get rejected, even if it matches a key pin.
Dave Thaler asked why a pinned self-signed certificate would be rejected. Joseph Bonneau mentioned that a user can have an exception to say it doesn’t have to be rejected, but it still needs a valid CA signature. Dave noted that if a pinned server certificate is compromised, the user could be attacked. Joseph agreed.
Joseph Bonneau mentioned that as with HSTS, the user has to specify the hashes of keys, and pin to at least two keys because if the user relies on only one key and then lose the key pin, the user would be offline. Additionally, if there is a MITM attack on the first connection, the attackers can break the domain, bricking it for the user.
Joseph Bonneau reported that HSTS has been in use and accepted by all browsers except IE (he noted that he thinks it will be deployed with IE 12). He further reported that about 12,000 domains are trying to set HSTS, 80% for long terms.
Joseph Bonneau mentioned that preloads of domains are now accepted via a website that will crawl the domain, and if it has implemented HSTS correctly, the domain will be added to the preloads in the browser. Key pinning security growth has been slower. Some domains use HSTS, some use key pinning, some do both. Examples Joseph used included Google, Facebook, and Twitter.
Joseph Bonneau reported that the keepers of the preload lists do not have a process to prune the stale, outdated, or obsolete domains. Only about 1% of the top million Alexa domains are using HSTS, and of those, 6% are HTTPS sites that redirect from HTTP. Possibly the reason is that many web administrators don’t know HSTS is available.
Joseph Bonneau mentioned there were two bugs observed. One was mixed content, where pages that use both both HTTPS and HTTP that can be attacked by a MITM. In the case of key pinning, the user has the same problem of connecting to HTTPS with a specified resource not from a pinned domain. Most of Twitter can be hijacked by a hacker with a rogue certificate because of this.
Joseph Bonneau said that, due in part to semantic differences between cookie and key pinning policies, it is possible to open a vulnerability that an attacker could take advantage of, and therefore it was important for web developers to take pains to see that policies, particularly regarding subdomains, are consistent. He noted that a major service had already suffered a problem because of this.
Joseph Bonneau concluded by noting that Web security is difficult for users, and spec writers don’t understand the real constraints. The browser preload lists may be updated frequently, but they are just lists.
–Begin ISOC Liaison Report, Mat Ford–
Internet Society Liaison Report to the IAB
14 January 2015
Topics:
I. Internet encryption and traffic management
II. IXP development
III. IXP workshops
IV. United Nations Commission on Science and Technology for Development
V. Organisation for Economic Co-operation and Development
VI. W3C Privacy Interest Group
I. Internet encryption and traffic management
ISOC are working with the IAB and IESG on participating in a GSMA hosted
meeting on impacts of Internet encryption on the mobile environment.
II. IXP development
Equipment has been sent to Thailand to support the soon to be launched
Bangkok National Internet Exchange (BKNIX). The launch is anticipated
for mid-February and the team there is doing an excellent job with
assistance from the community. Cisco, Google, Alcatel and NSRC have all
provided support for this work.
III. IXP workshops
ISOC held a joint IXP workshop in Tunis in collaboration with the ITU’s
Arab regional office and the Arab League. This was the second workshop
held in collaboration with the ITU-D. The meeting brought eight
countries together to discuss best practices and the impact an IXP can
make on local traffic costs and delivery.
IXP workshops are in the planning stages for Montenegro (February) and
South East Asia (June). Joint work will continue between ISOC and LACNIC
to deliver IXP workshops and training in Latin America. Packet Clearing
House (PCH) are supporting this work.
IV. United Nations Commission on Science and Technology for Development
(CSTD)
ISOC submitted its comments on the draft CSTD report on Mapping Internet
public policy issues. This followed consultations with the IAB and other
members of the technical community. A new version of the report will be
discussed in May, at the CSTD meeting. The final version will feed into
the 2015 WSIS 10 year Review process.
V. Organisation for Economic Co-operation and Development (OECD)
The Internet Society led the participation of the Internet technical
advisory committee (ITAC) at the recent OECD meeting week of the
Committee on Digital Economy Policy and its working parties. A large
part of the week was devoted to defining the focus areas and future work
feeding the 2016 OECD Ministerial on the Digital Economy, to be held in
Cancun (Mexico) in late June 2016. ITAC will also have the opportunity
to organise a pre-event at the Ministerial. Work is ongoing on the
review of the OECD Security Guidelines. ITAC also published a new
edition of its newsletter, illustrating positive examples of cooperation
between policymakers and the technical community in the OECD context:
https://storify.com/ITAC/itac-newsletter-n-4-december-2014 .
VI. W3C Privacy Interest Group (PING)
PING held its monthly call on 4 December 2014. This call focused on
general design principles for the Web regarding data minimisation and
identifiers, as well as a discussion of the recent Article 29 Working
Party Opinion regarding device fingerprinting. The next call will be on
15 January 2015. PING will be discussing the draft TAG finding on
Securing the Web. Link to call summary: http://lists.w3.org/Archives/
Public/public-privacy/2014OctDec/0043.html
–End ISOC Liaison Report, Mat Ford–
–Begin IESG Liaison Report, Alissa Cooper–
Recent new working groups:
None
Recently rechartered working groups:
- IP Security Maintenance and Extensions (ipsecme)
Current new chartering:
- "Archive" Top-Level Media Type (arcmedia) [Internal review]
- Domain Boundaries (dbound) [Internal review]
Current rechartering:
None
Pending rechartering:
None
Recently closed working groups:
None
Personnel changes:
- James Polk has stepped down as co-chair of TSVWG.
- Alfred Hönes has been replaced by Melinda Shore as co-chair of
URNBIS.
- Jouni Korhonen has been replaced by Lionel Morand as co-chair of
RADEXT.
- Ralph Droms stepped down as 6lo co-chair and resumed his role as 6lo
Technical Adviser.
- Gabriel Montenegro was appointed as 6lo co-chair.
- James Woodyatt was appointed as 6lo WG secretary.
- Ted Lemon became responsible AD for ANIMA.
- Joel Jaeggli became responsible AD for OPSAWG.
- Alissa Cooper became responsible AD for LMAP.
- Kathleen Moriarty became responsible AD for RADEXT and DIME.
–End IESG Liaison Report, Alissa Cooper–
–Begin IRTF Chair Report, Lars Eggert–
- ICNRG having interim at Cisco in Boston Jan 13-14 (right now)
- Proposed NFVRG has been asking for formal chartering; charter is
finalized. Discussing this with the IAB (and IESG, due to NFV being
actively standardized elsewhere).
- Am cautiously optimistic that the CFRG has cut the Gordian knot in
terms of a recommendation to the TLS WG on curves.
- Ongoing discussion with ACM SIGCOMM on a SIGCOMM/IRTF workshop on
Internet measurements on the Saturday before the Yokohama IETF (i.e.,
directly after ACM IMC in Tokyo).
- Announced ANRP winner for IETF-92 (topic is NFV, FWIW)
–End IRTF Chair Report, Lars Eggert–
–Begin ICANN Liaison Report, Jonne Soininen–
I. Public Comments needing attention (only highlights)
=======================================================
(All public comment processes:
https://www.icann.org/public-comments#open-public)
IDN TLD Program - Label Generation Ruleset (LGR) Tool Project (P1) - LGR
Tool Set Specifications Now Open for Public Comment
(https://www.icann.org/public-comments/idn-lgr-2014-12-03-en)
Reply period closes: 23 Jan 2015
II. Upcoming topics that could be relevant
===========================================
Cross Community Working Group (CWG) on Naming Related Functions Draft
Transition proposal
The CWG published its report and the comment period for the report has
now closed. The CWG is now contemplating how to move forward with their
proposal. There seems to be a need by some parties to link the ICANN
accountability question to the IANA stewardship transition question.
These two issues should really not be coupled together. However, if
there is consensus to go forward with the approach coupling
accountability together with the IANA stewardship transition this might
impact the naming community timelines.
III. (If relevant) upcoming meeting topics of importance
=========================================================
The next ICANN meeting is February 8-12th, 2015 in Singapore.
–End ICANN Liaison Report, Jonne Soininen–
–Begin IANA Liaison Report, Michelle Cotton–
IANA Liaison Report – 14 January 2015
2014 SLA Deliverables Update:
- ICANN met 100% of processing goal times for the November 2014 monthly
statistics, exceeding the SLA goal to meet 90% of processing goal
times. These times include the steps that the IANA Department has
control over and not time it is waiting on requesters, document
authors or other experts.
- The deliverable for the review of protocol parameters by third-party
auditors is in process. The third-party reviewers (PWC) are
completing their final tests. The report will be available by March
30, 2015.
- The Draft Supplemental Agreement for 2015 continues to be revised and
discussed.
Other News:
- The request for the addition of as112.arpa is in process. The IAB
has approved the request. The request should be completed soon.
- The IANA Department Customer Satisfaction Survey for 2014 is now
available at
http://www.iana.org/reports/2014/customer-survey-20141217.pdf
–End IANA Liaison Report, Michelle Cotton–
–Begin RFC Editor Liaison Report, Heather Flanagan–
RSE Report
* Format update
Several draft updates are expected this month, including a revision to
the xml2rfc v3 draft , the framework draft
, and the plain-text draft . A new draft with precise examples of how the
vocabulary should work is also in progress, and with that new draft and
the updates to the existing drafts as mentioned, the Tools Team will be
ready for the next step to release the proposed Statements of Work out
to community comment.
The xml2rfc v2 draft has also been submitted into
the Datatracker as an IAB stream document. There is one complex action
item to complete regarding crefs; Julian Reschke is testing how the
current vocabulary behaves in order to complete that one item. At that
point, the document will be ready to continue the publication process.
* DOI update
John Levine, Heather Flanagan, and the RPC team (Sandy Ginoza, Alice
Russo, and Priyanka Narkar are having a kick off meeting on 16 January
2015 to discuss the next steps for the DOI project. The coding work
involves both the interface to CrossRef to register the DOIs as well as
the interface to the RPC system so that the identifiers are created
automatically at time of publication.
Heather Flanagan submitted the CrossRef application at the beginning of
the month as the administrative part of the project. She is waiting to
hear back from CrossRef (expected the week of 12 January 2015).
* Participation as an Invited Expert in the W3C Digital Publishing
Interest Group
Heather Flanagan was invited to participate as an Invited Expert in the
W3C's Digital Publishing Interest Group <http://www.w3.org/dpub/IG/wiki/ Main_Page>.
This involvement should provide useful material to the RFC
format project, as well as being generally useful to the e-publishing
community.
* Errata System Design Team
Heather Flanagan is kicking off a new design team to discuss the errata
system and how to make it more efficient for approvers, implementors,
authors, and submitters. Participants include Joel Jaeggli, Stephen
Farrell, Barry Leiba, Pete Resnick, Ted Lemon, Mark Nottingham, Nevil
Brownlee, Robert Sparks, Sandy Ginoza, and Heather Flanagan. More
information is available on the RSE wiki at
<https://www.rfc-editor.org/ rse/wiki/doku.php?id=erratasystem:start>
RPC Update
* SLA - see http://www.rfc-editor.org/reports
- From the notes: Having met the SLA in December, the RPC had a
successful Q4. The table shows the impact of the increased number of
documents entering the queue (both newly approved and those released
from MISSREF) earlier in the year, and the RPC's recovery throughout the
remainder of the year.
* The current queue is seeing a larger number of clusters than usual,
each with a higher number of average pages per document. Examples
include the NFS, BLISS, and WEIRDS clusters. The list of active
clusters is available off of the RFC Editor website: http://www.rfc-
editor.org/all_clusters.php
* Published 327 RFCs in 2014 - This past year saw an increase of 50
documents published over the stats for 2013, putting us back up near the
high points hit in 2010 through 2012. See http://www.rfc-editor.org/
num_rfc_year.html for the annual publication count back through the
start of the Series.
* RFC Editor F2F meeting in Seattle - Sandy Ginoza, Alice Russo, Lisa
Winkler, and Heather Flanagan will be holding a two-day meeting in
Seattle to discuss 2015 and 2016 priorities and review plans for the
upcoming year.
–End RFC Editor Liaison Report, Heather Flanagan–
The IAB briefly discussed the Technical Plenary for IETF 92. As the IAB has not received a response from Shafi Goldwasser, the IAB has decided to pursue other options for IETF 92.
Russ Housley asked Program Leads to let him know if they will need agenda time at IETF 92.
Joel Halpern, who was not on the teleconference, was recused from the discussion. In accordance with RFC 2850, Jari Arkko left the teleconference. The IAB confirmed the IESG slate presented by NomCom in an executive session.