ALTS mitigates this somewhat by using Protobufs, but that's still a very very big TCB. Honestly, enabling normal TLS mutual-auth likely degrades security in most cases, as it opens the server to whatever attacks the X509 processing is vulnerable to. That's not what you want in a security critical control. It takes a much smaller TCB, and no connection state, to AAA a signed request, but with mutual-auth you need a state machine and the TCBs for X509/ASN.1 validation tend to be huge. With signing, these requests don't validate. For example, request-smuggling and hi-jacking attacks can take the form of bugs in proxies and servers that allow requests to be smuggled because they don't escape newlines in headers and so on. The main threats are protocol and network level. Of course, today's browsers aren't really set up for this they don't support built-in request signing, but I still find it a little weird to see VPNs/networks traded for a model whose expiry date also went by years ago.
Beyondcorp documents Offline#
Request signing systems like that authenticate each action, which is very granular, it permits strong offline signing (just like my iPhone banking app does), and it's agnostic to the details of networks and clients and things like hi-jacking and smuggling just can't work. I work at AWS, so I'm biased, but it seems much stronger to me to use a system that AAA's each action, like a request signing protocol (ours is. X509 and ASN1 are both notorious problem areas). That leaves the system open to request smuggling attacks, hi-jacking attacks, context-mismatch attacks (TLS is particularly cumbersome here, because authentication contexts can change mid-request), layering violations like credential lengthening problems (do you tear down a previously opened connection when the credential used to establish it expires or is revoked?), and vulnerabilities in the channel authentication mechanism (e.g. When you only authenticate a client, with a mechanism such as TLS Mutual-Auth, or ALTS, you still aren't really authenticating the actions, just the channel. A much better question is "Is this specific action authorized and authenticated?". Even the question "Is this client one of ours?" is a bad question to ask.
0 kommentar(er)
