We're interested in adding SDCH-over-HTTPS support to the Chromium
project and Chrome.
The original design document (
https://goo.gl/2zGXkU) explicitly
forbade using SDCH for HTTPS resources.
With some amendments, we believe that security concerns about this can
be addressed.
-------------
a) Can attacker-provided dictionaries over HTTP be used to inject
content into HTTPS-provided responses? Even without amendments this
may not be a feasible attack since SDCH identifies dictionaries using
48 bits of the SHA-2 hash of the contents, rather than a URL. However,
there is still a risk, so the design document should change to specify
that HTTPS URLs only fall within scope of HTTPS-retrieved
dictionaries.
b) Can passive attackers determine user behavior over HTTPS by
observing dictionary retrievals and advertisements? It's possible
that dictionaries are highly tied to individual users or specific
URLs.
If an HTTPS response advertises an HTTP URL in the Get-Dictionary
header and the client retrieves it, some information could be
revealed. This behavior is already prevented in the design document,
since Get-Dictionary URLs are required to be same-origin as the
response.
Advertising HTTPS-retrieved dictionaries in an Avail-Dictionary header
for an HTTP request could also reveal information. This should be
addressed by specifying that HTTP URLs only fall within scope of
HTTP-retrieved dictionaries. Combined with the change described in a)
above, this means that there is an implicit scheme associated with
each dictionary based on how it was retrieved, and the scheme of the
URL must match the implicit scheme of the dictionary.
c) Is SDCH-over-HTTPS subject to compression oracle attacks similar to
CRIME/BREACH? One of the main differences between SDCH and those
attacks is that the compression context is not supplied by the
attacker. However, this does not mean that servers are completely
immune to attacks. agl suggested a theoretical possibility where a
server sends a static response XOR'ed with user-provided data. If an
attacker had the contents of a dictionary (which is likely publicly
available), and provided data which reduced the size of the response
when XOR'ed with the static response, the attacker may then be able to
determine the contents of the static response.
Overall it does not seem like this style of attack is practical, but
counter-arguments are extremely welcome as they will make
SDCH-over-HTTPS a bad idea.
------------
Proposed deltas to the design document (these are also inserted as
comments on the design document at
https://goo.gl/2zGXkU)
1) In the "Dictionary Scope" section, remove the "The request is not
an HTTPS request" entry from the list. Add "The request URL's scheme
matches the scheme of the dictionary".
2) Remove the "The request is not an HTTPS request." entry from the
"Server Role in HTTP Response Generation" section.
3) In the "User Agent Role in HTTP Response Handling" section, change
the bit about whether the user agent may retrieve a dictionary to
"The user agent may retrieve a dictionary if the origin of the
dictionary matches the origin of the referrer. HTTP redirects may only
be followed if the origin matches as well."
4) Remove the first paragraph of the "Data Integrity" section that
starts with "This proposal does not take into account HTTPS."
5) Add a security concerns section to the document summarizing some of
the issues raised above.