colmmacc
commented
8 years ago In general s2n aims to be a minimal implementation - only including options and extensions that are broadly used. Every new piece of functionality brings risk, and since this is a very sensitive layer, it needs to be very well justified.
Speaking only for myself: I'm very skeptical about token binding. The mechanism is clearly a layering violation, and doesn't defend against standard channel-auth deficiencies such as request smuggling, or mismatches between the session state and the request state (what happens when a request spans two or more TLS contexts?). So it's a bit of a head-scratcher; if crypto changes are going to be used to defend shared-secrets better, why not move to signed requests? In that model, the tokens would be useless even when stolen.
alexw91
travisspencer
There is a new spec that is nearing completion in the IETF for binding tokens and cookies to the TLS layer using ALPN. From the spec:
For more details, the draft spec can be found here: https://datatracker.ietf.org/wg/tokbind/documents/
This spec is already widely supported by Google and Microsoft, the pioneers of the standard. It is also gaining industry traction from other parties. Implementations can be found already in these products:
In the coming weeks, Google will open source a C++ (and/or C) library that will handle all of the Token Binding negotiation. In BoringSSL and OpenSSL, this is offloaded to such a library using a custom extension API. No such API seems to exist in s2n, so either 1 of 2 things is needed: