Verify "ownership" when generating include-subdomain reports #74
Comments
|
RFC 1918 may be one scope, but more broadly, this is related to bypassing the origin-based model (via includeSubDomains). If this was scoped to an origin, this would not be an issue either. If we're going to expand past an origin, is there an opportunity for a CORS-like consent model? Are there other places where the lack of following the Same Origin Policy going to bite us? |
|
Is this different from how you can use the load and error events on image/iframe/script for the same purpose? (Edit: to be clear, origin-scoping for new features is a Good Thing, even if old features are improperly secure. I'm just a bit curious about the actual attack, as the blink-dev post seems very similar to what's already possible. If the answer is, "they're the same", then we should probably still restrict!) |
|
I suppose NEL reports have more information than load and error events. |
|
Transcribing the example from the blink-dev thread:
End result: Alice has been able to perform a port scan of Bob's internal network by convincing him to access a web page. |
As @flano-yuki points out, if you don't care about the differences between e.g. "connection refused" and "connection reset", then it's equivalent to what you can do with load/error events — with the caveat that the NEL stack in the browser would take care of collecting and uploading the reports for you. |
|
I agree with @sleevi that blocking reports about private addresses wouldn't be enough (and in the IPv6 case, might be hard to even define), and that the real issue is the cross-origin NEL configuration. That is, in the example above, Alice can install a NEL configuration for Complicating the issue is that we want that permission to extend to future requests to |
A couple of options for this that I can think of:
|
So, there's several edge cases that would have to be thought through:
For both 1 and 2, it seems like it's going to have a TOCTOU issue if we're allowed to report on connection establishment, and because of that, at risk for things like DNS rebinding? |
|
I'm somewhat surprised we're exposing these network errors at all given that so far we have resisted exposing them in what is supposed to be the primitive, fetch. Should we not first figure out if we can reasonably expose them there? |
Exposing them in fetch would expose the errors to the requestor, while exposing them via NEL should only expose them to the requestee. (Or at least, that's the intent!) |
Ha, blerp blorp, yes it is! Not enough ☕ today |
You'd need something like CORS's
I would suggest that we'd err on the side of being conservative, and not generate reports for those kinds of requests. There's always the fallback of serving the full NEL policy from both domain + subdomain.
This part isn't specific to the cross-origin example, I think. You could do a DNS rebinding attack like this just using a regular NEL policy on |
dcreager
changed the title
How does this difference matter for same-origin requests? |
It wouldn't. Is the pushback on the fetch side just for cross-origin requests or for both? (Also, is whatwg/fetch#526 where the discussion is happening on the fetch side? I agree with you that whatever we decide should be consistent. And ideally, if it's resolved by fetch defining specific error conditions that are returned via the API, NEL would use those directly instead of defining its own set of error codes.) |
|
It's for both, as thus far we don't expose any errors (I realize the Performance WG has nevertheless exposed some errors (or at least timing, per https://w3c.github.io/resource-timing/), but none of that is grounded in formalized primitives). E.g., you don't get to know whether there is a strict CSP policy, you're offline, or the server is offline via fetch. |
Note that NEL errors wouldn't be visible to JavaScript, regardless of whether the request is same-origin or cross-origin. The Reporting API has a JavaScript observer mechanism now, but the plan is that NEL reports will be explicitly marked as not observable. The NEL reports would only be visible to the owner of the origin being requested (or to the third-party collector that they designate in their NEL policy). |
|
It's also worth calling out an important monitoring use case that we'd lose if we require something CORS-like for subdomain reports: DNS misconfiguration. You own the DNS tree rooted at That use case was a primary motivator behind Another option (which I'm not sure yet if I like) is that an Thoughts? |
|
Do you also get these error reports if it's not the user, but if it's You could imagine an attacker finding an XSS at We also tend to regret it or find unexpected attacks when things cross the origin boundary. |
|
I don't think XSS applies here since NEL reports are not observable, and are never visible in JavaScript. Only the server (or its designated collector) gets to see the report, regardless of if the request is cross-origin or same-origin, and regardless of it's a user-driven or script-driven request. Just like how only the server that would get to see an entry in |
|
Yeah, but are we sure we'll never change our mind on that and not forget about the invariant? (The remaining arguments still apply, too.) |
|
I need to add the text that says that NEL isn’t observable (observers are a recent addition to Reporting). I could include text explaining the rationale, would that work? |
|
That would potentially address some of the concerns (such an invariant is hard to maintain over long periods of time); it doesn't address bypassing the same-origin policy. (The same-origin policy itself is a good example of an invariant folks keep trying to poke holes through and we tend to regret that later whenever it's done.) |
|
The problem here is that an attacker can request reports for names that are under his control.
|
|
#77 adds the text that explicitly states that NEL reports aren't observable, and explains why. So the requester will never get to see any NEL reports about the requests they make; only the server that receives the requests will. That leaves open the question about what to do with
Of these, I think we can definitely rule out option (2) — option (3) accomplishes the same result with a much simpler solution. Straw poll? |
|
I have a question about verify ownership to domains resolved to private ip. I think, even if remove Signed HTTP Exchanges enable example.com to send NEL Policy as it is sent from 127-0-0-1.example.com. Steps
I'm not sure Whether this method is effective or not, if so, we should resolve this issue (or this is webpackage's issue) |
|
I'm not sure that such a scenario is significantly different than one done by DNS-rebinding like attack. In the rebinding model, an attacker would have The attacker would then change the resolution to point It seems NEL fundamentally enables this attack through its policy storage, allowing for a distinction between time of check and time of use (TOCTOU). To some extent, this makes the option (2) in https://github.com/WICG/network-error-logging/issues/74#issuecomment-399087271 the most appealing, in that it forces a 'fresh' check. Of course, that would have to be extended to all policies (for all domains) whose IP resolves to something different than when the policy was noted. |
|
That TOCTOU behavior is intentional, to help detect DNS hijacking attacks. E.g., I own |
|
Yes, it would prevent that use case of site operators from being addressed.
However, it would better preserve user privacy.
|
|
What about something similar to option (4)? We treat "the IP address that we're about to use for the request is different from the one where we received the policy" as a new kind of DNS "error". ( |
|
(My main concern with option (4) is whether it would make the spec too convoluted. I'm going to take a stab at a PR with some draft text to see whether that's the case) |
|
I agree that (4) is pretty convoluted, and between enabling the rebinding attack (that is, introducing yet-another-storage-layer with privacy properties) and the That naturally implies that Web Packaging would not be able to set or note these policies at all (they don't have a policy to note), which itself is... difficult to reason about (and to implement). |
|
Will there be similar concerns with how Web Packaging interacts with CSP? NEL prohibits a policy being set in a |
|
@dcreager Yes, there's a set of concerns with Signed Exchanges that are still being worked out with respect to mutability/persistence, particularly around domain-related policies. |
|
Alrighty, #83 is a stab at this. The diff is actually not as bad as I thought:
Thoughts? |
|
I sadly don't think I'll have a chance to do an indepth review of this for the next two-months (yeah, I know...), but some quick feedback:
I'm confused by this. #83 seems like it treats the IP as a singular thing ( That is, in a real world scenario, where a user in Geo 1 resolves
I suspect that's misunderstanding Signed Exchanges / Bundled Exchanges (or perhaps referring to something different?). In general, delivering a signed exchange to the user from the origin server would be a performance-negative (since you already negotiated the TLS handshake and verified the certificate, why do a second layer of verification and framing)? |
Even if DNS returns several addresses, the client is only going to use one of them (ignoring happy eyeballs) for a request. And I don't think we can assume that the other addresses in the DNS response point at the same server, right? So if the only way to confirm ownership of the server is to have a successful HTTPS connection that delivers a NEL policy, then we can't assume that the ownership should also apply to the other addresses in the response. Which means we have to track the individual IP addresses that were used for each request, and not the sets of IP addresses that might have come back from DNS at the same time.
Oh that's almost certainly true. I was just trying to say that the attack in this comment should be covered by this proposal too. |
|
Thanks! I was definitely misunderstanding your comment about it addressing the DNS load balancing case - I thought you were saying the intent was to allow reports to be sent fully for From a storage perspective, does this mean a user potentially will have as many NEL policies as there are IP addresses for that domain, and potentially have them diverge over time? Apologies if we should be chatting on #83 about that, but still trying to unpack the design space, as mentioned in https://github.com/WICG/network-error-logging/issues/74#issuecomment-399984666 |
As I've written it, no — there would still be at most one policy for an origin, and the user agent would keep track of the most recent IP address that it was received from. So as a slight variation of the above example:
That's also not ideal, but I wanted to keep things simple and conservative to start with. We can always examine ways to expand when we can send back full reports as a future edit to the spec. (Ideally, after having shipped this simpler version and collected data about how often we're getting downgraded |
|
Assuming there's no other feedback, I'm going to add some of the examples we've discussed here to the text in #83 and send it out for review. |
|
I think I agree that, if #83 is specified in terms of a Fetch response's connection's server IP address (as I just suggested there), then the Web Packaging specs will set the IP address such that cross-origin Signed Exchanges won't match the IP address(es) for direct connections, which will avoid the rebinding attacks here. That might be a little unfortunate, since servers may want to know about errors in their web packages, but it does seem reasonable to me. |
This patch clarifies the different phases that happen while servicing a
request. A network error occurs during one of those phases, and we now
handle errors differently depending on which phase they occur in:
- `include_subdomains` policies can only be used to generate reports
about DNS resolution errors, since the policy author can only
confirm ownership of the DNS tree, and not of all of the servers
that those domain names resolve to.
- If the resolved IP address for an origin changes between when a
policy is received, and when its used to generate a report, we don't
report any details about the connection and application phases, and
only report that the IP address changed. This prevents DNS
rebinding attacks.
Issue: #74
Yeah, that's another example where the current proposal is more conservative than it needs to be. I think we can figure out how to make the "received IP address" check cover this case, too; I just wanted to consider that a follow-on, and not a blocker to getting this fixed. |
|
#83 is merged, and has had several pairs of eyes on it. We think that it closes all of the security issues raised in this issue:
Thanks everyone for the thorough discussion and review! I'm going to close this issue; if there are any follow-on concerns, we can open new issues for them. |
|
Thank you for your work! |
…policies Per w3c/network-error-logging#74, NEL policies that have include_subdomains set can only be used to report errors during DNS resolution. They cannot be used to report on successes, or on errors in other phases, since once we contact a server, that server has to explicitly consent to NEL reporting by delivering its own policy. Bug: 862188 Change-Id: If051f6787344b9385af3e46384370636a6bafc5d Reviewed-on: https://chromium-review.googlesource.com/1135599 Commit-Queue: Douglas Creager <[email protected]> Reviewed-by: Misha Efimov <[email protected]> Cr-Commit-Position: refs/heads/master@{#575180}
First reported on blink-dev. We should add language to the spec to prevent NEL reporters from sending reports about any connections to a private address. Without that, someone could use an
include-subdomainsconfiguration to have clients probe their internal RFC1918-addressed networks, and report those results back to an external collector.The text was updated successfully, but these errors were encountered: