[TLS]Re: [EXTERNAL] Adoption call for SSLKEYLOG Extension file for ECH

Christian Huitema <huitema@huitema.net> Sat, 03 August 2024 21:38 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB7F1C14F5FC; Sat, 3 Aug 2024 14:38:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YNYYJO26QLQh; Sat, 3 Aug 2024 14:38:40 -0700 (PDT)
Received: from se01.mfg.siteprotect.com (se01.mfg.siteprotect.com [64.26.60.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6767EC14F5F9; Sat, 3 Aug 2024 14:38:40 -0700 (PDT)
Received: from smtpauth01.mfg.siteprotect.com ([64.26.60.150]) by se01.mfg.siteprotect.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1saMSS-000cGM-8c; Sat, 03 Aug 2024 17:38:39 -0400
Received: from [192.168.1.104] (unknown [172.56.168.245]) (Authenticated sender: huitema@huitema.net) by smtpauth01.mfg.siteprotect.com (Postfix) with ESMTPSA id 4Wbx0618cYz1627FF; Sat, 3 Aug 2024 17:38:29 -0400 (EDT)
Message-ID: <c24048cf-798f-4702-9000-114b6d173f05@huitema.net>
Date: Sat, 03 Aug 2024 14:38:29 -0700
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Eric Rescorla <ekr@rtfm.com>, Tim Bray <tbray@textuality.com>
References: <7CC88431-A71A-455B-A7A7-BA4AD3C8502C@sn3rd.com> <MN0PR21MB3147C2C3EE7B9115F339ADDE8CAB2@MN0PR21MB3147.namprd21.prod.outlook.com> <029901dae5c3$437addc0$ca709940$@gmx.net> <CAHBU6isbShx6XJLtUC1U+kPwABBTmGEueG2JhaEtVCgG7OdCbg@mail.gmail.com> <CABcZeBPUG0N0rZZ1ZCs2jzXxMiEP37R+reFQQj3PJkBwXSRSyQ@mail.gmail.com>
Content-Language: en-US
From: Christian Huitema <huitema@huitema.net>
Autocrypt: addr=huitema@huitema.net; keydata= xjMEXtavGxYJKwYBBAHaRw8BAQdA1ou9A5MHTP9N3jfsWzlDZ+jPnQkusmc7sfLmWVz1RmvN J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PsKWBBMWCAA+FiEEw3G4 Nwi4QEpAAXUUELAmqKBYtJQFAl7WrxsCGwMFCQlmAYAFCwkIBwIGFQoJCAsCBBYCAwECHgEC F4AACgkQELAmqKBYtJQbMwD/ebj/qnSbthC/5kD5DxZ/Ip0CGJw5QBz/+fJp3R8iAlsBAMjK r2tmyWyJz0CUkVG24WaR5EAJDvgwDv8h22U6QVkAzjgEXtavGxIKKwYBBAGXVQEFAQEHQJoM 6MUAIqpoqdCIiACiEynZf7nlJg2Eu0pXIhbUGONdAwEIB8J+BBgWCAAmFiEEw3G4Nwi4QEpA AXUUELAmqKBYtJQFAl7WrxsCGwwFCQlmAYAACgkQELAmqKBYtJRm2wD7BzeK5gEXSmBcBf0j BYdSaJcXNzx4yPLbP4GnUMAyl2cBAJzcsR4RkwO4dCRqM9CHpVJCwHtbUDJaa55//E0kp+gH
In-Reply-To: <CABcZeBPUG0N0rZZ1ZCs2jzXxMiEP37R+reFQQj3PJkBwXSRSyQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Authentication-Results: mfg.siteprotect.com; auth=pass smtp.auth=huitema@huitema.net
X-Originating-IP: 64.26.60.150
X-SpamExperts-Domain: mfg.outbound
X-SpamExperts-Username: 64.26.60.150/31
Authentication-Results: mfg.siteprotect.com; auth=pass smtp.auth=64.26.60.150/31@mfg.outbound
X-SpamExperts-Outgoing-Class: ham
X-SpamExperts-Outgoing-Evidence: Combined (0.22)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT+JKlGhpDCbgNc+ubNd2+VFPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5zBAzwSIZR2Os4N+s/lrMMMEU/zYEDVP22whYY8WpoGHSp3 cwQrbFTrcmiDymUFLpFr1QNOL2KfSOu4ta0sDKWTwrVKuontQuhFW/PPg/HzBZH2d9OrGIOMWaJr a+pHLriY1D0KD9VvXZUwUVaxWihpH/bhrCPBRJkyIPT173ihP1GGsaCu/oAuvRi1XOM+lUmMUvQg YJT3A6E9VIifU0IlmR1JhEQ0fnMvSyF3zPd+leKVse1sVhWabI0/+PN3sILkyQvJTrh5TPJIe57i rzyPt0DNtlpu9/j54C+9KfQPlnfPU6AjRH7EyGpGqUW5X6GBuzyaFpcNMRnqYDob6PGEDWOsRn0r Q8uAS6IdRu9xtZ1D9P6KyC9h4ONvAKG69WqNanVyvfT1nkMF77y4ACgB9zfFt85WTkwJTSNbxtcI 9lR4vcIpZdhTj4cb8NJzufI1fJIfQcR1cguXmH8X/TX0FFYjM/hk8FFzz5VrZXxYt5kuKkOAXi61 fIaf6ujXJ6uP0nqw9HirOnoU7/jRV6AwKT9d5mQcVg4RmVQORdo0/unQ06UY8aDyFZiARlxUWMpM i9XiI+RfyvckCHWnY/dCn/624s8kuGDQFuyMpgSsl0PPZZODMSZLWGw2EsldT9rrE3kmdKjT5BLr /roCYvbZwsnwBeVXtu22cfJTcR2a0s+VB22HBXXs2v9fcvjnuflzHDeqqFz43py4SDhdaHkWbr+M yXY9cffBOviZqpwZygK6o9Ped58uOOybEGMW28ri/8PH5pkbUeb9YbXYXt04Vhvn1M6e63Ez2Kc8 1z+y+Hak3U3M1aarCakG9JnAfOsg+iAb0hbYtIbOj9FjkOJh0z6bhalFEM/pjPCQA+BAluyXS9oO pln2SiUAyOoB0yp8K4EgtgsN2Ij6q4Ui0HC+jRXbajLzRhW0mZnQDLq/49Jr/4Tc3QBIZgW6AHRH hWULeeTWy9qh3OO25VGPgi0L2OG3fLcZhSPhkrDpxcAMay7YVCF0Ge9BXmuoTt8omDmtSUtcD62A w/3LaYi0SFudmD0ZnVKetZr7JXN+ljJ1KxgWfVqs1QlXN1wi3QKSJb4/YHGGdt5eD9ya81kvI1of j4oEMkkb52cuMkZmyFk0IrnmVABUGDBbijUk0niiKby1h2iCzU6pU/NLbWzfyIwF7aDHGDaCqXoE MS9UkGleOTEvuGslKTrRIXcXpFg5ivY=
X-Report-Abuse-To: spam@se02.mfg.siteprotect.com
Message-ID-Hash: BF3W5PM7LY7A4HI4TMMTSSJF2Q5MFMFL
X-Message-ID-Hash: BF3W5PM7LY7A4HI4TMMTSSJF2Q5MFMFL
X-MailFrom: huitema@huitema.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: hannes.tschofenig=40gmx.net@dmarc.ietf.org, Andrei Popov <Andrei.Popov=40microsoft.com@dmarc.ietf.org>, TLS List <tls@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: [EXTERNAL] Adoption call for SSLKEYLOG Extension file for ECH
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/0agjnQbbgxPA1T09nN3Bf28BIxM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>


On 8/3/2024 11:03 AM, Eric Rescorla wrote:
> ...
> 
> The main SSLKEYLOGFILE document already contains the following
> applicability statement [1], which also is referenced here in S 5:
> 
>       The artifact that this document describes - if made available to
>       entities other than endpoints - completely undermines the core
>       guarantees that TLS provides. This format is intended for use in
>       systems where TLS only protects test data. While the access that
>       this information provides to TLS connections can be useful for
>       diagnosing problems while developing systems, this mechanism MUST
>       NOT be used in a production system.
> 
> If people feel that this statement is not strong enough, then I think
> the right thing to do is adjust the original draft, potentially by
> proposing new text here or to the IESG.

The security considerations of 
https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/ are pretty 
clear, but the discussion pointed out that environment variables can be 
installed without knowledge of most users. More protection is needed. 
Examples are explicit run time options, such as asking the user to set a 
special configuration flag to enable the feature, and compile time 
protections, which would only enable that configuration flag in special 
versions of the application.

I think what the keylogfile draft is missing is some kind of scenario 
description. I have seen this feature widely used in "development" 
builds -- the QUIC Interop Runner (https://interop.seemann.io/) depends 
on it. In that case the scenario is simple, and a compile time solution 
works fine.

I understand that this feature could be useful when debugging network 
problems, and that the most used solution today is to collect and then 
analyze packet captures. That workflow is less simple, because the 
problem is typically discovered "in production". That's were the tension 
arises. On one hand, running that feature in production is pure folly. 
On the other hand, explaining to the user how to turn on the SSLKEYLOG 
feature and collect a PCAP can be a bit challenging. There will be a 
push to interpret the MUST NOT as "MUST NOT but we know very well that 
you will".

There are plausible defenses about this, such as tweaking the UI to make 
very obvious that the application is running in a degraded mode, with no 
security. But these defenses have cost, both in terms of implementation 
and in terms of reputation. The IETF can probably help developers "do 
the right thing" ... and defend their choices!

If it is not too late, it would be nice to explain that in a "deployment 
considerations" of draft-ietf-tls-keylogfile.

As for exporting the ECH key, there is a much simpler solution. If the 
problem is "get a PCAP for debugging", just turning of ECH for the 
debugging session would suffice. And it would also make the trade-off 
between debugging and safety pretty obvious.

-- Christian Huitema