Re: Security for various IETF services

Yoav Nir <ynir.ietf@gmail.com> Wed, 09 April 2014 08:38 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 931831A0160 for <ietf@ietfa.amsl.com>; Wed, 9 Apr 2014 01:38:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.599
X-Spam-Level:
X-Spam-Status: No, score=-0.599 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yQs90XvqB1Lz for <ietf@ietfa.amsl.com>; Wed, 9 Apr 2014 01:38:20 -0700 (PDT)
Received: from mail-ee0-x234.google.com (mail-ee0-x234.google.com [IPv6:2a00:1450:4013:c00::234]) by ietfa.amsl.com (Postfix) with ESMTP id 1E88D1A019E for <ietf@ietf.org>; Wed, 9 Apr 2014 01:38:16 -0700 (PDT)
Received: by mail-ee0-f52.google.com with SMTP id e49so1559070eek.39 for <ietf@ietf.org>; Wed, 09 Apr 2014 01:38:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=H/9YDZv46y903S58CGw1fKsNJv842uN6oa70MPygX8s=; b=JnI955ir2CVfSd4nkcakwmLQWeOfIda2LEtmUvn4DDParV4d3Xt5JaIwMaWPayrbS4 2jkQ4+QZXsv+fZUEsgoe1tFJZM4R18nMRYGmKVFkQ9HTjU4U7E5+NIm4jNPVYHYBm9lW uACs86/PuDV584tvEYJ+Ob96syEhro+a47I6yDpdPVgubYygTfIMke/Hl4uIplZbFNNs Ff3mPR76xe6bj43fHHQfrs4q974UuPSrNIPEF6oZZNrQyW2B0nnmLSiiFgoP6lFDqzUu 3IY9LditGmenuuX8+0UEJv2Ih4jxb+WsCQhlY8tnyWLBG2FApPcBdocBx72uIpp+4mEl 3QjQ==
X-Received: by 10.15.90.201 with SMTP id q49mr1308579eez.65.1397032696291; Wed, 09 Apr 2014 01:38:16 -0700 (PDT)
Received: from [192.168.243.52] ([192.116.177.210]) by mx.google.com with ESMTPSA id 48sm781232eei.24.2014.04.09.01.38.13 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 09 Apr 2014 01:38:14 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_C4F474F3-091A-4B6D-99CF-0949C3271EEA"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
Subject: Re: Security for various IETF services
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CAKW6Ri5=6eVEKvJ3SVrFxnX9Hd1vxUFW9n4p99g=NM+LHky9kA@mail.gmail.com>
Date: Wed, 9 Apr 2014 11:38:12 +0300
Message-Id: <A1442D4F-DB3F-4A69-B42C-C89BD3758104@gmail.com>
References: <533D8A90.60309@cs.tcd.ie> <533EEF35.7070901@isdg.net> <27993A73-491B-4590-9F37-0C0D369B4C6F@cisco.com> <CAHBU6iuX8Y8VCgkY1Qk+DEPEgN2=DWbNEWVffyVmmP_3qmmmig@mail.gmail.com> <53427277.30707@cisco.com> <B275762E-3A1A-44A3-80BE-67F4C8B115B2@trammell.ch> <53428593.3020707@cs.tcd.ie> <A33A3F1E-8F6D-4BD9-8D1B-B24FBCD74D8D@nominum.com> <5342B26B.5020704@gmail.com> <011301cf532a$b4cd02a0$4001a8c0@gateway.2wire.net> <CAKW6Ri5=6eVEKvJ3SVrFxnX9Hd1vxUFW9n4p99g=NM+LHky9kA@mail.gmail.com>
To: Dick Franks <rwfranks@acm.org>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/Ap_t3qJBBgTJnw_kaY_tVkyCcLA
Cc: IETF-Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Apr 2014 08:38:24 -0000

On Apr 9, 2014, at 3:02 AM, Dick Franks <rwfranks@acm.org> wrote:

> 
> On 8 April 2014 09:32, t.p. <daedulus@btconnect.com> wrote:
> 
> 
> The path that I have seen several Security ADs steer Working Groups down
> is to start with a threat analysis before deciding what counter measures
> are appropriate.
> 
> 
> Several contributors have been saying exactly that for almost a week.
> 
> These suggestions have been answered by dismissive emails and a relentless bombardment of magic pixie dust.


The thing is, the IETF websites are not that special. There’s a bunch of information, most of it public. The sites accept payments by credit card thrice a year. There’s a wiki. There’s some mailing lists with archives and registration pages, There’s content that can be edited by privileged users, and there’s other content that can be uploaded by anyone and viewed by anyone. Pretty much any corporate website has these parts.

The point of having best practices is that we don’t need to think about a threat model for each website. It’s a set of practices that someone has called “best practices” because they protect against several common types of attack at a low enough cost, that many web sites can implement them without actually proving to management that each part is strictly necessary.

Sure, we can have a debate here about the security needs of each service provided and have some of the most knowledgeable experts debate whether the www.ietf.org should have HTTP access, while datatracker.ietf.org should have only HTTPS, and tools. should have both and HSTS and HPKP to boot. But that is not eating our own dog food, because the next “store that sells soap making supplies on the ‘net” will not have access to such expertise. Our dogfood should be implementable by people who don’t read these mailing lists - the web site developer that said store hires. Hence the need for “best practices” shortcuts, which are very much a part of all branches of engineering.

That said, if there are security implications that are not common to regular websites, these should be considered and discussed. For example, if reading drafts and RFCs from the office might betray your company’s future plans, that is a good reason to allow encrypted access to RFCs. Or if reading certain articles on Wikipedia can get you in trouble in some countries, then encrypted access to those may be in order. And if having both encrypted and non-encrypted access results in encrypted access being red-flagged as subversive, that may be a good argument for encrypted access by default or even exclusively. 

But before diving into such a discussion we need to have a good argument for what makes us so special.

Yoav