Another mitigating factor to clarify: Let's Encrypt certificates only last 90 days (grater than the 60 day limit in place with Chrome), but as mentioned in the original message, this attack can still be enabled with anonymous payments to any CA with rapid key rotation as a service, of which these CAs may easily produce certificates lasting one year.

This doesn't impact Chrome given the 60 day max-max-age change which I believe went in with M51, but it's worth keeping in mind.

Assigning to timwillis and palmer since they have some context. (Tim is OOO today though.)

Thanks.

If I had to distill this down to the most salient points, I'd say that the most immediate resolution rests with Let's Encrypt, though implementers of HPKP should look to mitigate the risk this pattern poses as a ransomware vector as more CAs enable rapid key rotation and potentially more free CAs with this functionality go live.

We don't anticipate a need for a quick fix or other short term mitigation by the Chrome and Firefox teams unless, of course, Let's Encrypt opts to do nothing.

All on the thread:

We have two other discussion threads going on at the same time, one with LE and the other with Mozilla.

With regards to LE, there was a proposed simplification of RansomPKP by Jacob Hoffman-Andrews which would rely on establishing a TLS relay on the compromised machine and ending the TLS connection at an attacker-owned endpoint, allowing an attacker to forgo Rapid Key Rotation by maintaining control of just one key (the Ransom key). We've whiteboarded this alternate proposal and believe it's viable, though for a number of reasons which we can enumerate later but which mostly reduce down to the resources needed and resulting ROI, we disagree that this version of the attack is as effective as the RKR version. Still, the point was made that there exist potentially multiple ways to successfully use HPKP to hold a site's userbase for ransom, something not at all considered during the drafting of HPKP beyond a mere DoS via hostile pinning.

LE just now concluded with "Wontfix," and although we believe that any number of fixes by LE could substantially reduce the near-term potential for harm enabled by the service (such as dramatically reducing the rate limit, among others listed in the original email), it's within their right to assert that LE won't take action.

Since Ryan and I have an attack which clearly works and have no obvious mitigation paths in front of us in light of LE's "Wontfix"... we're out of ideas for mitigating the attack enabled by LE. Thoughts?

Thanks for taking the time to report this issue.

For all of this discussion, let’s keep in mind that the scope of this attack requires an attacker to have already hacked someone. I realise that those contributing to this thread know this, but for others reading this thread without that background, it’s important to remember that this scenario is usually considered “game over” before it really begins, as an attacker would already have unfettered access.

Considering that, I would posit that the root problem is not with Let’s Encrypt (LE), but with whatever vulnerability enabled the attacker to compromise the service in the first place. An attacker who can gain administrative control of the service has unlimited ability to damage the service, its users, and the operator's reputation in whatever way the attacker pleases. If an attacker has this type of unfettered access, attempting to extract a ransom via HPKP seems unlikely due to the possibility of significantly more interesting or lucrative alternatives

It is true that the existence of HPKP makes it all the more important for site operators to secure their deployments. The problem of hostile pinning — which already includes the idea of pinning a site for ransom — is documented in https://tools.ietf.org/html/rfc7469#section-4.5. It was alsowas discussed (including the use of the term “pinning suicide”) in the IETF WebSec forum (see e.g. https://www.ietf.org/mail-archive/web/websec/current/msg02298.html and generally https://www.ietf.org/mailman/listinfo/websec).

Basically, an attacker could effectively ransom the service operator or its users with or without LE, and with or without LE's rapid issuance process. This problem isn't unique to LE, and as mentioned above, has been known and discussed before.

Short of offline and intentionally-slow issuance ceremonies — which would reduce the overall prevalence of HTTPS on the web, would still be spoofable, and would thus be a net negative for web security — demonstration of administrative control is the best available way for the site operator to prove their desire for LE to issue a certificate for the domain.

We’re always interested in solving challenges, so thanks for taking the time to recommend a solution. Your recommendation to “Leverage DNS as proof that the true owner of any given domain actually wants a LE certificate” is effectively what Certification Authority Authorization (CAA, https://tools.ietf.org/html/rfc6844) is, and LE already uses it. Certificate Transparency provides effective post hoc misissuance detection, and LE uses it as well.

Also, Chrome intentionally enabled the 60-day max-max-age to mitigate hostile pinning, in accordance with advice in https://tools.ietf.org/html/rfc7469#section-2.3.3.

Hey Bryant / Ryan,

Just checking in here - it seems as though palmer@'s response addressed the concerns your raised in the OP. 

As it doesn't look like there's anything to fix here on the Chrome side, any objections to marking this as WontFix and opening up the bug? I wanted to double check before doing so just to make sure I'm not missing something here.

Tim and Chris,

Thanks for taking the time to reply (and to check in). There are some details in Chris' reply which we disagree with, so we'll address everything in a subsequent reply this week. After this, we'll be content with any conclusion settled on by the team.

Thanks for the ping.

That timing sounds great - look forward to hearing from you later this week and I'll make pencil in some time in advance with Chris and others on the team to discuss on Monday.

Tentatively assigning security impact tags based on the fact that this attack requires taking over a web server

All, Ryan and I had a bit to get done this week which robbed us of necessary time, but I'm intending to follow up during the day Saturday. 

Thank you for the tags in the meantime. 

Interesting. We consistently get HTTP 500 status codes when attempting to post our reply even after filtering for characters within a specific range, so we're attaching it here as a (UTF-8) text file.

Cheers,

-Bryant and Ryan

Deleted: err500 monorail.png 19.9 KB

	err500 monorail.png 19.9 KB View Download

Deleted: Chromium Reply.txt 7.4 KB

Chromium Reply.txt 7.4 KB View Download

Attachment in #23 below.

+agable: Any ideas why Bryant had issues uploading into Monorail?

Also, for context I'm assigning Andrew as the new owner, as I'm leaving the Chrome team this week for elsewhere in Google and won't be able to see this through :( Andrew and I sit next to each other so he's very much up to speed on this and will likely get back to you today or tomorrow after chatting with Chris.

In case I don't chat beforehand - all the best with your talk!

Tim

=== attached email in #c23 ===

"""Chris, thanks for your insight. It's always much appreciated.

Generally, we do agree that CAA would be an effective mitigation for those not interested in using LE. As far as we're aware and judging from the spec, the spec essentially describes itself as a whitelist within a blacklist whereby when implemented by a domain, the domain must be precluded from receiving a certificate from a CA unless the CA observes itself in the CAA Resource Record set (RRs). Without an active mitigation effort, it would take a concerted awareness effort to make this known to all concerned service operators, which is something we intend to do with the AppSec Glory talk regardless of the outcome of this conversation.

Ultimately, if the conclusion by all parties involved in this discussion is that there's nothing to be done short of making people aware of the opt-in CAA standard, we'll move forward with making awareness of the standard a priority.

---

That said, we disagree with several details above. Specifically,

> "Considering that, I would posit that the root problem is not with Let's Encrypt (LE), but with whatever vulnerability enabled the attacker to compromise the service in the first place. An attacker who can gain administrative control of the service has unlimited ability to damage the service, its users, and the operator's reputation in whatever way the attacker pleases. If an attacker has this type of unfettered access, attempting to extract a ransom via HPKP seems unlikely due to the possibility of significantly more interesting or lucrative alternatives"

This appears to assume that compromising a site gives an attacker an unlimited ability to pivot, which for larger targets would not necessarily be the case. Building on this, it also assumes that every component of a site sits in one zone of trust, something I have yet to see at any larger corporate environment. To the point: just because a web server in a DMZ is compromised doesn't guarantee that an attacker can pivot and do substantially more damage through other means, or else there would be no point in having a DMZ at all. What would in the past have been just a simple site defacement could instead now be readily monetized by an attacker. Therefore, although an initial compromise might taken place through a different vulnerability, it is this vulnerability which allows an attacker to immediately cash out such a small scale intrusion.

> "Basically, an attacker could effectively ransom the service operator or its users with or without LE, and with or without LE's rapid issuance process. This problem isn't unique to LE, and as mentioned above, has been known and discussed before."

We disagree with the usage of the word "effectively" in this context. This problem appears in fact to be unique to LE simply because the issuance ceremony (automated via a bot on the web server) and rate limits are what allow an attacker to automate the attack and "lock in" the gains, meaning the users held for ransom. We haven't actually seen ransom attack patterns discussed in any of the aforementioned threads and references, only the concept of hostile pinning in a general sense, which we referenced in the original post (ctrl+f "hostile pinning"). We _did_ see discussion of ransom attack patterns arise spontaneously in other threads (ctrl+f "Hacker News"), but the crux of this report is that automated issuance, minimal authentication requirements, and rapid rotation of keys allow for a successful and effective attack as compared to without these capabilities. Without rapid key rotation specifically, defenders who regain access to the compromised machine can simply recover the keypair used in the attack, rendering such an attack entirely ineffective.

> "Short of offline and intentionally-slow issuance ceremonies — which would reduce the overall prevalence of HTTPS on the web, would still be spoofable, and would thus be a net negative for web security — demonstration of administrative control is the best available way for the site operator to prove their desire for LE to issue a certificate for the domain."

We don't actually believe that offline and intentionally slow issuance ceremonies would be an effective mitigation in light of the mission to spread TLS. However, we do believe that the free service LE provides obligates all parties -- LE as well as browsers which trust LE -- to investigate extra precautions. Speaking specifically to the use of CAA, our preference would be for LE to either require the use of CAA as a compromise condition for handing out free certificates at all _or_ for LE to require CAA as a condition for enabling higher rate limits. We believe the latter will be far less detrimental to LE's mission and can potentially even be beneficial by limiting abuse of the LE service. 

However, we've been informed by LE of the following:

"CAA is intentionally a blacklist-based solution. To treat it as a whitelist would both violate the spec and create unnecessarily high barriers to enabling TLS."

We've pored over the spec a number of times, especially section four (https://tools.ietf.org/html/rfc6844#section-4). We did not observe any defined behavior for CAs to follow in the event that a CAA RRs could not be located, which leads us to our understanding that CAs are empowered to explicitly require a CAA RRs as a condition of service without being in violation of the spec.

---

To conclude:

We believe that the level of system compromise required to enable RansomPKP is not a level of compromise which would guarantee the success of other attacks. For instance, all it might take to implement RansomPKP might be the compromise of a relevant web server within a DMZ, an otherwise limited network compromise which until now might not have been easily monetized.

It's for this reason that we expect _some level of mitigation_ to take place, though as mentioned in the beginning, we can move forward with disclosing RansomPKP and releasing the PoC as part of a coordinated awareness effort for the use of CAA in the event that all concerned parties unfortunately decide against system-level mitigation. Our stance in favor of mitigation over merely an awareness campaign stems from the same position which led the Chromium team to cap max-max-age for HPKP to 60 days; service owners cannot necessarily be trusted to act in their own best interests hence the need for some form of programmatic enforcement, which gets to our closing point:

Can the team confirm if our reading of the CAA specification is correct? We specifically did not observe any requirements in the spec for how to handle the condition where the RRs is empty. Because of this, an effective mitigation for this attack would seem to be for LE to require a CAA RRs identifying LE to be present as a condition of either issuing a certificate (more onerous to the adoption of TLS) or issuing a certificate beyond a certain cadence (far less burdensome yet still effective). We believe requiring CAA for certificates beyond two per month will substantially mitigate risk posed by this attack while still empowering LE to continue the mission of spreading TLS adoption, and though we strongly believe the Chromium team is in a unique position to suggest a change such as this in order to protect against such attacks in the future, we can understand and will move forward with only an awareness campaign should all product teams involved in this thread opt for WontFix.

Cheers,

-Bryant and Ryan"""

(Aside, regarding the failure to post the update in Comment 23:)

The attached text file contained unicode bytes in the following characters:
lowercase 'x', capital 'F', and numeral '0'.
I have no idea those characters were non-ascii.
We plan to fully support utf8 (including emoji) in the near future; see  issue monorail:705  for further details.

If you wish to continue discussion about non-Basic Multilingual Plane characters in Monorail, feel free to contact me out-of-band, or in the issue referenced above.

And now back to your regularly-scheduled programming.

Deleted: Screenshot from 2016-06-27 13:28:54.png 41.6 KB

	Screenshot from 2016-06-27 13:28:54.png 41.6 KB View Download

[offtopic] So first I drafted the reply in gdocs, then I copied it into notepad (a quick and easy way to sanitize things of specialness) and then into the comment box where it conveniently failed to post. No special ''s, ''es, or ''s were used. I know that it passed my extremely sloppy regex of [^a-zA-Z0-9\- /.?,"'+*_#:;>()\r\n] in notepad++ when I started to troubleshoot. 

The * character in the regex above was an em dash that had been used elsewhere in this thread, which makes me wonder if this is a regression in monorail that happened between when this thread opened and now. I had to pass the same 00ff-ffff regex on this text before I could submit _this_ comment, and that's the only character it caught. Original body for this comment.[/offtopic]

Deleted: plaintext.txt 411 bytes

plaintext.txt 411 bytes View Download

Hi Bryant and Ryan,

As you anticipated I'm going to mark this WontFix, given I don't believe there's a change to be made in Chrome. But we're certainly open to revisiting if there's a solution that improves current best practice.

CAA records are indeed a promising development, and getting them more attention would be great, but this probably isn't the best forum for that discussion.  I might suggest the Mozilla security policy list (https://lists.mozilla.org/listinfo/dev-security-policy) and keeping an eye on the CA/B Forum public list (https://cabforum.org/pipermail/public/). The latter requires membership to post, but I'd be happy to forward on any contributions if you'd like.

Thanks again for taking the time to write a detailed report, and best of luck for your presentation!

Fair. Is there an opinion by the Chrome team as to whether the LE team should investigate programmatic mitigation? There might not be anything in the opinion of the Chrome team that Chrome should perform to mitigate this, but we still believe that "a solution that improves current best practice" would be for free CAs--LE included--to require a CAA RRs when issuing certs beyond a certain rate limit per the last paragraph of our most recent response.

My assumption is that our reading of the CAA spec is correct given that the team has not disputed it. If so, and if the Chrome team believes this is a step that LE should take, then I'd be glad to reopen the thread with the LE team (though they're already copied on every correspondence here). If not, then this topic is settled and we'll move forward with the presentation from there.

[offtopic] I've created https://bugs.chromium.org/p/monorail/issues/detail?id=1511 for discussion of the unicode characters and Monorail. Please continue all other conversation over there. If you do not have permission to view that issue and wish to be granted access, please email me directly. [/offtopic]

Speaking as one of the Chrome Team's representatives to the CA/Browser Forum, the suggestions with respect to CAA are ones that harm, rather than help, the ecosystem. Requiring free CAs to perform a CAA check would be explicitly harmful to the ecosystem, for reasons both obvious and non-obvious, but as I am not a lawyer, I cannot comment on nor speculate on.

As Chris mentioned, the concerns regarding HPKP-centric ransomware were explicitly discussed during the standardization of HPKP. Free CAs do not meaningfully change that threat calculus, nor do CAs which allow unlimited issuance - such as CAs omitted from your list, such as StartCom or WoSign.

The reading of the CAA spec - indicating that CAs could require CAA - is certainly true, but we're explicitly opposed and will not support a mandate that required CAA records be affirmatively present before issuing a certificate.

This is not a step I can support recommending LE take, and believe it would be actively harmful to the ecosystem.

Perfect response. Works for us. Will look forward to the discussion which will hopefully take place once we're done.

If anyone from the team is attending either conference, we look forward to meeting in person!

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot