From 0c1a0ffd8341549b2a91bd468be024c3f397d91d Mon Sep 17 00:00:00 2001 From: zzz <zzz@mail.i2p> Date: Thu, 9 Mar 2017 16:05:23 +0000 Subject: [PATCH] proposal 135 --- .../135-authenticated-address-helpers.rst | 112 ++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 i2p2www/spec/proposals/135-authenticated-address-helpers.rst diff --git a/i2p2www/spec/proposals/135-authenticated-address-helpers.rst b/i2p2www/spec/proposals/135-authenticated-address-helpers.rst new file mode 100644 index 000000000..65418bab6 --- /dev/null +++ b/i2p2www/spec/proposals/135-authenticated-address-helpers.rst @@ -0,0 +1,112 @@ +============================= +Authenticated Address Helpers +============================= +.. meta:: + :author: zzz + :created: 2017-02-25 + :thread: http://zzz.i2p/topics/2241 + :lastupdated: 2017-02-25 + :status: Open + +.. contents:: + + +Overview +======== + +This proposal adds an authentication mechanism to address helper URLs. + + +Motivation +========== + +Address helper URLs are inherently insecure. Anybody may put an address helper +parameter in a link, even for an image, and may put any destination in the +"i2paddresshelper" URL parameter. Depending on the user's HTTP proxy +implementation, this hostname/destination mapping, if not currently in the +addressbook, may be accepted, either with or without an interstitial for the +user to accept. + + +Design +====== + +Trusted jump servers and addressbook registration services would provide new +address helper links that add authentication parameters. The two new parameters +would be a base 64 signature and a signed-by string. + +These services would generate and provide a public key certificate. This +certificate would be available for download and inclusion in http proxy +software. Users and software developers would decide whether to trust such +services by including the certificate. + +On encountering an address helper link, the http proxy would check for the +additional authentication parameters, and attempt to verify the signature. On +successful verification, the proxy wold proceed as before, either by accepting +the new entry or showing an interstitial to the user. On verification failure, +the proxy could reject the address helper or show additional information to the +user. + +If no authentication parameters are present, the http proxy may accept, +decline, or present information to the user. + +Jump services would be trusted as usual, but with the additional authentication +step. Address helper links on other sites would need to be modified. + + + +Security Implications +===================== + +This proposal adds security by adding authentication from trusted registration +/ jump services. + + + +Specification +============= + +TBD. + +The two new parameters could be i2paddresshelpersig and i2paddresshelpersigner? + +Accepted signature types TBD. Probably not RSA as the base 64 signatures would +be very long. + +Signature algorithm: TBD. Maybe just hostname=b64dest (same as proposal 112 for +registration authentication) + +Possible third new parameter: The registration authentication string (the part +after the "#!") to be used for additional verification by the HTTP proxy. Any +"#" in the string would have to be escaped as "#" or "#", or be +replaced by some other specified (TBD) URL-safe character. + + +Migration +========= + +Old HTTP proxies that don't support the new authentication parameters would +ignore them, and pass them along to the web server, which should be harmless. + +New HTTP proxies that optionally support authentication parameters would work +fine with old address helper links that don't contain them. + +New HTTP proxies that require authentication parameters would not allow old +address helper links that don't contain them. + +A proxy implementation's policies may evolve over the course of a migration +period. + +Issues +====== + +A site owner could not generate an address helper for his own site, as it needs +the signature from a trusted jump server. He would have to register it on the +trusted server and get the authenticated helper URL from that server. Is there +a way for a site to generate a self-authenticated address helper URL? + +Alternatively, the proxy could check the Referer for an address helper +request. If the Referer were present, contained a b32, and the b32 matched the +helper's destination, then it could be allowed as a self-referral. Otherwise it +could be assumed to be a 3rd-party request, and rejected. + -- GitLab