[Teas] The SSLKEYLOGFILE Format for TLS

Thomas Lußnig <lussnig@suche.org> Mon, 19 August 2024 20:05 UTC

Return-Path: <lussnig@suche.org>
X-Original-To: teas@ietfa.amsl.com
Delivered-To: teas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD002C1930B0 for <teas@ietfa.amsl.com>; Mon, 19 Aug 2024 13:05:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.298
X-Spam-Level: *
X-Spam-Status: No, score=1.298 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_96_XX=3.405, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=suche.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gGEHv-Moh_sK for <teas@ietfa.amsl.com>; Mon, 19 Aug 2024 13:05:29 -0700 (PDT)
Received: from suche.org (suche.org [194.50.33.11]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 621ADC1CAF3F for <teas@ietf.org>; Mon, 19 Aug 2024 13:05:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1722001763; s=mantrailing; d=suche.org; i=lussnig@suche.org; h=subject:to:from:Cc:Content-Description:Content-Disposition:Content-ID:Content-Transfer-Encoding:content-type:date:From:in-reply-to:List-Archive:List-Help:List-Id:List-Owner:List-Post:List-Subscribe:List-Unsubscribe:message-id:mime-version:references:reply-to:Resent-Cc:Resent-Date:Resent-From:Resent-Message-ID:Resent-Sender:Resent-To:Sender:Subject:To; l=14225; bh=BEODEUCiqRW83qRk80M3KDRZKMfPy8PuhcNGjouRL3g=; b=cAMOzmt3tSpcKa/BFk8FBB29BmrxJnqK4xkrjxMyUN02Aj/cIXDH93lOds2Ub5/v YLFqFpAXu8wO7VlbYfPmEBTt+rGZp38cqjI4RItazz+yw0QghqUtlVzPyl0nRFT+wNx DkoeSy54wgoAj1WiynC6pl2DjqQGcjSwtN2XL/dqHvJbAFsBynsg5Nwj9tM44XpiCoz 53YhXe1sIV9CwjyqaRhyCtqbW5bwzi9NsK12mGnGdLcEMEXIPzHhHdXtbGLO4MFq47K blOiVn7+EMps7CY6MFFvC5MYXJWok1HpZnYj8tUkVfo6dIDpUcNMe/Gq4x7n0lgoKBl /JgrtKTsrw==
Content-Type: multipart/alternative; boundary="------------7DosSvrbkGj3FBJk0sMhMDtX"
Message-ID: <2e2986de-6d73-4243-bd49-78ddd50d9874@suche.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: last-call@ietf.org, james.n.guichard@futurewei.com, teas-chairs@ietf.org, teas@ietf.org, vbeeram@juniper.net
References: <172199881644.6614.2904382436387677065@ietfa.amsl.com>
Content-Language: de-DE, en-GB
From: Thomas Lußnig <lussnig@suche.org>
In-Reply-To: <172199881644.6614.2904382436387677065@ietfa.amsl.com>
Message-ID-Hash: WSWMW4EE7P2FFY22LNJKWI6ENOKLEDNH
X-Message-ID-Hash: WSWMW4EE7P2FFY22LNJKWI6ENOKLEDNH
X-MailFrom: lussnig@suche.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-teas.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Reply-To: Thomas Lußnig <lussnig@suche.org>
Subject: [Teas] The SSLKEYLOGFILE Format for TLS
List-Id: Traffic Engineering Architecture and Signaling working group discussion list <teas.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/teas/K9Iu9bqSaMoDZ8rf35oYQmbJ_UY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/teas>
List-Help: <mailto:teas-request@ietf.org?subject=help>
List-Owner: <mailto:teas-owner@ietf.org>
List-Post: <mailto:teas@ietf.org>
List-Subscribe: <mailto:teas-join@ietf.org>
List-Unsubscribe: <mailto:teas-leave@ietf.org>
Date: Mon, 19 Aug 2024 20:05:34 -0000
X-Original-Date: Fri, 26 Jul 2024 15:49:23 +0200

Hi,

in the risk description there is not mentioned that decryption of the 
messages allow to see the plaintext passwords,
used for identification that are otherwise not visible on the system if 
they are hashed and salted. So the risk is even
larger than compromising the old and current session. It will compromise 
also the user accounts independently of the
ssl protocol. So any access to this will allow impersonation long after 
the recording and even after the ssl sessions.

Another risk is adding an mime-type to this filetype can encourage 
developers to send/publish this highly sensitive file via email or web.


Gruß Thomas Lußnig



--------------------------------------------------------

> Message: 1
> Date: Thu, 25 Jul 2024 12:13:23 -0700
> From: The IESG<iesg-secretary@ietf.org>
> Subject: Document Action: 'The SSLKEYLOGFILE Format for TLS' to
> 	Informational RFC (draft-ietf-tls-keylogfile-02.txt)
> To: "IETF-Announce"<ietf-announce@ietf.org>
> Cc: The IESG<iesg@ietf.org>,draft-ietf-tls-keylogfile@ietf.org,
> 	paul.wouters@aiven.io,rfc-editor@rfc-editor.org,tls-chairs@ietf.org,
> 	tls@ietf.org
> Message-ID: <172193480302.1044038.13275141107936697882@dt-datatracker-
> 	659f84ff76-9wqgv>
> Content-Type: text/plain; charset="utf-8"
>
> The IESG has approved the following document:
> - 'The SSLKEYLOGFILE Format for TLS'
>    (draft-ietf-tls-keylogfile-02.txt) as Informational RFC
>
> This document is the product of the Transport Layer Security Working Group.
>
> The IESG contact persons are Paul Wouters and Deb Cooley.
>
> A URL of this Internet-Draft is:
> https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/
>
>
>
>
> Technical Summary
>
>     A format that supports the logging information about the secrets used
>     in a TLS connection is described.  Recording secrets to a file in
>     SSLKEYLOGFILE format allows diagnostic and logging tools that use
>     this file to decrypt messages exchanged by TLS endpoints.
>
> Working Group Summary
>
>
>     The one thing that worried some people (including your responsible AD)
>     was the fact that this could be used as pervasive monitoring tool if this
>     file is offloaded/shared on production systems. Numerous warnings were
>     added to the document to not do this. As the feature is already readily
>     available (Firefox, Chrome, Wireshark, openssl, libcurl, etc.) those
>     who are building such monitoring devices can already do so anyway.
>
> Document Quality
>
>    This is documenting a widely deployed feature that is used for development
>    and debugging major crypto libraries and browsers (see above)
>
> Personnel
>
>     The Document Shepherd for this document is Sean Turner. The Responsible
>     Area Director is Paul Wouters.
>
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 25 Jul 2024 12:14:09 -0700
> From: The IESG<iesg-secretary@ietf.org>
> Subject: Last Call:
> 	<draft-ietf-teas-applicability-actn-slicing-07.txt> (Applicability of
> 	Abstraction and Control of Traffic Engineered Networks (ACTN) to
> 	Network Slicing) to Informational RFC
> To: "IETF-Announce"<ietf-announce@ietf.org>
> Cc:draft-ietf-teas-applicability-actn-slicing@ietf.org,
> 	james.n.guichard@futurewei.com,teas-chairs@ietf.org,teas@ietf.org,
> 	vbeeram@juniper.net
> Message-ID: <172193484951.1042453.12495308827630261210@dt-datatracker-
> 	659f84ff76-9wqgv>
> Content-Type: text/plain; charset="utf-8"
>
>
> The IESG has received a request from the Traffic Engineering Architecture and
> Signaling WG (teas) to consider the following document: - 'Applicability of
> Abstraction and Control of Traffic Engineered
>     Networks (ACTN) to Network Slicing'
>    <draft-ietf-teas-applicability-actn-slicing-07.txt> as Informational RFC
>
> The IESG plans to make a decision in the next few weeks, and solicits final
> comments on this action. Please send substantive comments to the
> last-call@ietf.org  mailing lists by 2024-08-08. Exceptionally, comments may
> be sent toiesg@ietf.org  instead. In either case, please retain the beginning
> of the Subject line to allow automated sorting.
>
> Abstract
>
>
>     Network abstraction is a technique that can be applied to a network
>     domain to obtain a view of potential connectivity across the network
>     by utilizing a set of policies to select network resources.
>
>     Network slicing is an approach to network operations that builds on
>     the concept of network abstraction to provide programmability,
>     flexibility, and modularity.  It may use techniques such as Software
>     Defined Networking (SDN) and Network Function Virtualization (NFV) to
>     create multiple logical or virtual networks, each tailored for a set
>     of services that share the same set of requirements.
>
>     Abstraction and Control of Traffic Engineered Networks (ACTN) is
>     described in RFC 8453.  It defines an SDN-based architecture that
>     relies on the concept of network and service abstraction to detach
>     network and service control from the underlying data plane.
>
>     This document outlines the applicability of ACTN to network slicing
>     in a Traffic Engineered (TE) network that utilizes IETF technologies.
>     It also identifies the features of network slicing not currently
>     within the scope of ACTN, and indicates where ACTN might be extended.
>
>
>
>
> The file can be obtained via
> https://datatracker.ietf.org/doc/draft-ietf-teas-applicability-actn-slicing/
>
>
>
> No IPR declarations have been submitted directly on this I-D.
>
>
>
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> IETF-Announce mailing list --ietf-announce@ietf.org
> To unsubscribe send an email toietf-announce-leave@ietf.org
>
>
> ------------------------------
>
> End of IETF-Announce Digest, Vol 243, Issue 18
> **********************************************