IETF Logo Mail Archive

Re: [TLS] Heartbleed / protocol complexity

Nico Williams <nico@cryptonector.com> Wed, 09 April 2014 22:23 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E44B1A03B3 for <tls@ietfa.amsl.com>; Wed, 9 Apr 2014 15:23:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.856
X-Spam-Level: ****
X-Spam-Status: No, score=4.856 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_38=0.6, MANGLED_BACK=2.3, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vMMZWWnN_IKd for <tls@ietfa.amsl.com>; Wed, 9 Apr 2014 15:23:36 -0700 (PDT)
Received: from homiemail-a86.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 294E71A0300 for <tls@ietf.org>; Wed, 9 Apr 2014 15:23:36 -0700 (PDT)
Received: from homiemail-a86.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTP id B4CE236006D for <tls@ietf.org>; Wed, 9 Apr 2014 15:23:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=y2ULtkxc5WD/R0jQtYaDljnymUo=; b=Me12MTSCUks khyxZAlG907Pre+T0oBmQ5ldoeo9MiuoGdPjfN7w3NzM2BwPzjDiQqa7/Io4Z6vg Y3g+pjbbmkazFHs0JnOVEgboixo9NzeI9MUwQLf11tgZa9v2DKeguti8KwIrfGd6 ReGs8TknW1ngUW9HjJrh1fpOuQF1imYI=
Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTPSA id 684FF36006B for <tls@ietf.org>; Wed, 9 Apr 2014 15:23:35 -0700 (PDT)
Received: by mail-we0-f182.google.com with SMTP id p61so3149416wes.27 for <tls@ietf.org>; Wed, 09 Apr 2014 15:23:34 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.194.20.65 with SMTP id l1mr11727418wje.39.1397082214132; Wed, 09 Apr 2014 15:23:34 -0700 (PDT)
Received: by 10.217.129.197 with HTTP; Wed, 9 Apr 2014 15:23:34 -0700 (PDT)
In-Reply-To: <20140409232505.0d6e02b8@hboeck.de>
References: <20140409232505.0d6e02b8@hboeck.de>
Date: Wed, 09 Apr 2014 17:23:34 -0500
Message-ID: <CAK3OfOju4PB_T+W4ECkLjs0bERFmxs+xQGX=8JMDwArvo0st_Q@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Hanno Böck <hanno@hboeck.de>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/15EVa9XH02YF_2W0c_pGME663Wc
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Heartbleed / protocol complexity
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Apr 2014 22:23:37 -0000

On Wed, Apr 9, 2014 at 4:25 PM, Hanno Böck <hanno@hboeck.de> wrote:
> It's kinda surprising that nobody yet started a thread on the biggest
> issue in TLS these days on the TLS WG list. So I make a start.

Standard IDL + standard encoding + tooling == this type of problem
mostly goes away and it's easier to test and fuzz test unit
components.

TLS has an ad-hoc IDL and encoding, and it IIUC doesn't adhere to its
own conventions tightly enough that we could now standardize a
compatible IDL+encoding and develop tooling for it.

To all who have ever poo-poo'ed ASN.1 and friends I now say: you've
definitevly lost the argument.  If you don't like one IDL, use
another, or develop a new a new one.

> I see a number of issues here:

I don't agree with all that you say, but even if I did, all of these
issues pale by comparison to the IDL/encoding issue.

> * Extensions make the protocol more complex. Complexity adds attack
>   surface. [...]

Maybe, but we need extensibility, sometimes to get us out of a hole.
No extensibility == insecure fallbacks in the future.

There are no right answers in some cases.

> * Heartbeat adds some completely unneccessary complexity by having a
>   payload with an arbitrary length. There's no point in that. Fefe
>   wrote something about it (german only):

I don't think it's unnecessary: at least for DTLS it is probably
necessary for PMTUD.  If we have no use for it in TCP it might be
worth turning it off there, but that's fighting the last war by moving
complexity elsewhere -- the more DTLS and TLS diverge the less common
code can be shared.

Nico
--

v2.23.0 | Report a Bug | By Email