"Enforce HTTPS" Field for Domains to Prevent SSL Stripping?

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

"Enforce HTTPS" Field for Domains to Prevent SSL Stripping?

Post by biolizard89 »

Right now, the 2.0 .bit spec allows fingerprints to be specified for SSL/TLS connections, but offers no way to specify that HTTP clients should enforce HTTPS-only connections. As a result, tools like sslstrip can still MITM the websites if the user neglects to type the "https" in the URL bar. The HTTP Strict Transport Security (HSTS) specification attempts to allow servers to specify this, but doesn't protect the initial connection where the HSTS header is sent.

Info on HSTS: https://en.wikipedia.org/wiki/HTTP_Stri ... t_Security

I propose adding a field to the .bit spec which requires conforming HTTP clients to only make HTTPS connections to the .bit domain. I don't think the exact HSTS syntax (where it specifies a period in seconds for which the header is valid) is necessary in .bit, since the HSTS syntax is assuming that the header can't be checked each time a connection is made. (Namecoin cannot be easily MITMed, while HTTP easily can be.) So how about this syntax:

To enforce HTTPS on a domain:

Code: Select all

"enforce-https": "true"
To not enforce HTTPS (this would be the default):

Code: Select all

"enforce-https": "false"
To enforce HTTPS on a domain and all subdomains:

Code: Select all

"enforce-https": "includeSubDomains"
Other suggestions for alternative syntax would be great to hear too.

What do people think of this proposal?
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

phelix
Posts: 1634
Joined: Thu Aug 18, 2011 6:59 am

Re: "Enforce HTTPS" Field for Domains to Prevent SSL Strippi

Post by phelix »

Is this obsolete now with the new TLS implementation or not?
nx.bit - some namecoin stats
nf.bit - shortcut to this forum

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: "Enforce HTTPS" Field for Domains to Prevent SSL Strippi

Post by biolizard89 »

phelix wrote:Is this obsolete now with the new TLS implementation or not?
It is not obsolete; even with the TLS implementation a user could forget to type "https" and be subject to an sslstrip attack. I think the proposal outlined in the original post should still be adopted.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

phelix
Posts: 1634
Joined: Thu Aug 18, 2011 6:59 am

Re: "Enforce HTTPS" Field for Domains to Prevent SSL Strippi

Post by phelix »

biolizard89 wrote:
phelix wrote:Is this obsolete now with the new TLS implementation or not?
It is not obsolete; even with the TLS implementation a user could forget to type "https" and be subject to an sslstrip attack. I think the proposal outlined in the original post should still be adopted.
ok and +1 (maybe a little shorter)
nx.bit - some namecoin stats
nf.bit - shortcut to this forum

khal
Site Admin
Posts: 708
Joined: Mon May 09, 2011 5:09 pm
os: linux

Re: "Enforce HTTPS" Field for Domains to Prevent SSL Strippi

Post by khal »

It is an interesting feature that will have even more value in namecoin (if you use a proxy like Convergence for example), because the proxy can block the http request (locally) or redirect to https and no clear request has gone through internet at all.

I would like to rename "fingerprint" to "sha1" too (because other checksums can be used for more reliability [firefox displays also the md5, huhu]), and put this in a "https" record.

Something like this :

Code: Select all

{
  "ip": "xx.xx.xx.xx",
  "https":
  {
    "sha1": "xx:xx:xx:xx:xx:xx.../xxxxxxxxxxxx...",
    "enforce": "self/*",
  }
}
NamecoinID: id/khal
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T

Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: "Enforce HTTPS" Field for Domains to Prevent SSL Strippi

Post by biolizard89 »

khal wrote:It is an interesting feature that will have even more value in namecoin (if you use a proxy like Convergence for example), because the proxy can block the http request (locally) or redirect to https and no clear request has gone through internet at all.

I would like to rename "fingerprint" to "sha1" too (because other checksums can be used for more reliability [firefox displays also the md5, huhu]), and put this in a "https" record.

Something like this :

Code: Select all

{
  "ip": "xx.xx.xx.xx",
  "https":
  {
    "sha1": "xx:xx:xx:xx:xx:xx.../xxxxxxxxxxxx...",
    "enforce": "self/*",
  }
}
I think "tls" would be a better name for the record than "https" because the fingerprint could be for a TLS-secured protocol other than HTTPS. For example, I could imagine using this for SSH connections. Other than that, I think your modifications would be an improvement.
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

khal
Site Admin
Posts: 708
Joined: Mon May 09, 2011 5:09 pm
os: linux

Re: "Enforce HTTPS" Field for Domains to Prevent SSL Strippi

Post by khal »

I've added the "tls" record in the spec (last one) and marked "fingerprint" as deprecated :
https://dot-bit.org/Namespace:Domain_na ... alue_field

It seems ok for you ?
NamecoinID: id/khal
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T

Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent

moa
Posts: 255
Joined: Mon May 23, 2011 6:13 am

Re: "Enforce HTTPS" Field for Domains to Prevent SSL Strippi

Post by moa »

"tls" is good.

It is interesting to read this in wiki for HSTS and realise how NMCSEC (is what I call TLS for namecoin) as opposed to DNSSEC is the superior solution ...
Applicability

The most important security vulnerability that HSTS can fix is SSL-stripping man-in-the-middle attacks, first introduced by Moxie Marlinspike in his 2009 BlackHat Federal talk "New Tricks For Defeating SSL In Practice."[16] The SSL stripping attack works (on both SSL and TLS) by transparently converting a secure HTTPS connection into a plain HTTP connection. The user can see that the connection is insecure, but crucially there is no way of knowing whether the connection should be secure. Many websites do not use TLS/SSL, therefore there is no way of knowing (without prior knowledge) whether the use of plain HTTP is due to an attack, or simply because the website hasn't implemented TLS/SSL. Additionally, no warnings are presented to the user during the downgrade process, making the attack fairly subtle to all but the most vigilant. Marlinspike's sslstrip tool fully automates the attack.

HSTS addresses this problem[15] by informing the browser that connections to the site should always use TLS/SSL. The HSTS header can be stripped by the attacker if this is the user's first visit. The Chrome browser attempts to limit this problem by including a "pre-loaded" list of HSTS sites.[17] Unfortunately this solution cannot scale to include all websites on the internet; a potential solution might be achieved by using DNS records to declare HSTS Policy, and accessing them securely via DNSSEC, optionally with certificate fingerprints to ensure validity (although DNSSEC will have secure last mile issues for the foreseeable future[18]).[19] HSTS can also help to prevent having one's cookie-based website login credentials stolen by widely available tools such as Firesheep.[20]
https://en.wikipedia.org/wiki/HTTP_Stri ... t_Security

biolizard89
Posts: 2001
Joined: Tue Jun 05, 2012 6:25 am
os: linux

Re: "Enforce HTTPS" Field for Domains to Prevent SSL Strippi

Post by biolizard89 »

@khal: yep, looks good to me.

@moa: yeah, DNSSEC is a joke in my opinion (and in the opinion of a lot of security experts who know far more than I do). It's great to be able to participate in Namecoin and know that we're on the frontier of making the Internet a better, more secure place. :)
Jeremy Rand, Lead Namecoin Application Engineer
NameID: id/jeremy
DyName: Dynamic DNS update client for .bit domains.

Donations: BTC 1EcUWRa9H6ZuWPkF3BDj6k4k1vCgv41ab8 ; NMC NFqbaS7ReiQ9MBmsowwcDSmp4iDznjmEh5

Luke-Jr
Posts: 13
Joined: Wed Aug 10, 2011 3:33 am
os: linux

Re: "Enforce HTTPS" Field for Domains to Prevent SSL Strippi

Post by Luke-Jr »

I dislike the idea of assuming domains are only for webserving.
Can this be made generic?

Post Reply