Re: [secdir] [TLS] secdir review of

[Martin Rex <mrex@sap.com>]

Peter Saint-Andre wrote:
> 
> For context, the "quoted advice" is mostly a description of current
> usage in some existing user agents. Incorporating Barry's suggestions,
> that text currently reads as follows in our working copy:
> 
>       Security Note: Some existing interactive user agents give advanced
>       users the option of proceeding despite an identity mismatch.
>       Although this behavior can be appropriate in certain specialized
>       circumstances, in general it ought to be exposed only to advanced
>       users and even then needs to be handled with extreme caution, for
>       example by first encouraging even an advanced user to terminate
>       the connection and, if the advanced user chooses to proceed
>       anyway, by forcing the user to view the entire certification path
>       and only then allowing the user to accept the certificate on a
>       temporary basis (i.e., for this connection attempt and all
>       subsequent connection attempts for the life of the application
>       session, but not for connection attempts during future application
>       sessions).

This whole paragraph is evil and completely wrong.

It's bad enough that the web browser crowds replaced a useful option
and important security feature with an extremely evil scary page.

The IETF should definitely not put this non-sense into a
BCP or standard.


Offering to end-users, in a single-time-only leap-of-faith approach similar
to what SSH has been successfully doing since its invention to memorize
the peers certificate is magnitudes more secure than the endpoint
identification linking to one of a hundred trust anchors, provisionally
preconfigured by your software supplier.

The IETF, its standards & BCPs ought to stand clear from
recommendations that impair the usability or incur additional cost
for using the TLS technology between components of home networks.

The scary-pages presented by newer Browsers and the UI suggestions
in the quoted paragraph amounts to turning the entire TLS technology
into "nagware" for commercial pre-trusted CAs.  The most recent
browser scary-pages are worse than most nagware.

I'm not intimidated on the initial install of my DSL-router,
neither when logging in to the webadmin page for the first time,
nor when configuring my WPA2-PSK key.  Why on earth am I intimidated
so badly when I activate TLS for the webadmin UI of my home NAS
and connect to it with my browser for the first time?


Can't we do better than specifying the use of HTTP over TLS instead
of HTTP-only to access devices on my home network should not be
allowed to users that are not "advanced", and even those must be
badly intimidated when they try?


Even when servers use server certs from commercial pre-trusted CAs,
the options for end users to manually confirm the server cert to
have it cached/memorized and verified on future visits will
significantly improve the security for the user, because it
protects from later subversion of (the issuing procedures)
of any of the thousands CAs signed by any of the hundred
preconfigured trust anchors as well as bugs such as the
OID-integer wraparound and NUL-character in Hostname.



-Martin