[TLS]Re: [EXTERNAL] Adoption call for SSLKEYLOG Extension file for ECH
Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 04 August 2024 11:00 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21A55C151534 for <tls@ietfa.amsl.com>; Sun, 4 Aug 2024 04:00:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3kaXc0BdxuJv for <tls@ietfa.amsl.com>; Sun, 4 Aug 2024 04:00:07 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3b.welho.com [83.102.41.29]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E85F0C14F683 for <tls@ietf.org>; Sun, 4 Aug 2024 04:00:05 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 6F86010BD7 for <tls@ietf.org>; Sun, 4 Aug 2024 14:00:02 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id c1a8_9kEX6i3 for <tls@ietf.org>; Sun, 4 Aug 2024 14:00:02 +0300 (EEST)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 15B95287 for <tls@ietf.org>; Sun, 4 Aug 2024 14:00:01 +0300 (EEST)
Date: Sun, 04 Aug 2024 14:00:00 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: TLS List <tls@ietf.org>
Message-ID: <Zq9fMFjKIORoMHSG@LK-Perkele-VII2.locald>
References: <7CC88431-A71A-455B-A7A7-BA4AD3C8502C@sn3rd.com> <MN0PR21MB3147C2C3EE7B9115F339ADDE8CAB2@MN0PR21MB3147.namprd21.prod.outlook.com> <029901dae5c3$437addc0$ca709940$@gmx.net> <CAHBU6isbShx6XJLtUC1U+kPwABBTmGEueG2JhaEtVCgG7OdCbg@mail.gmail.com> <CABcZeBPUG0N0rZZ1ZCs2jzXxMiEP37R+reFQQj3PJkBwXSRSyQ@mail.gmail.com> <c24048cf-798f-4702-9000-114b6d173f05@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <c24048cf-798f-4702-9000-114b6d173f05@huitema.net>
Sender: ilariliusvaara@welho.com
Message-ID-Hash: 7RVU75LKQVDKX4NGV7MAR3LUVUDH5XAP
X-Message-ID-Hash: 7RVU75LKQVDKX4NGV7MAR3LUVUDH5XAP
X-MailFrom: ilariliusvaara@welho.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: [EXTERNAL] Adoption call for SSLKEYLOG Extension file for ECH
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2gpT082DO3Mg_1JTJ2pLx0kSx7c>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
On Sat, Aug 03, 2024 at 02:38:29PM -0700, Christian Huitema wrote: > > The security considerations of > https://datatracker.ietf.org/doc/draft-ietf-tls-keylogfile/ are pretty > clear, but the discussion pointed out that environment variables can be > installed without knowledge of most users. More protection is needed. > Examples are explicit run time options, such as asking the user to set a > special configuration flag to enable the feature, and compile time > protections, which would only enable that configuration flag in special > versions of the application. Any attacker that can tamper with environment variables is in position to do way way worse things than enabling SSLKEYLOG. Possibly even worse than an attacker capable of replacing the whole application with a troijan! -Ilari
- [TLS]Adoption call for SSLKEYLOG Extension file f… Sean Turner
- [TLS]Re: [EXTERNAL] Adoption call for SSLKEYLOG E… Andrei Popov
- [TLS]Re: [⚠️] Re: [EXTERNAL] Adoption call for SS… Yaroslav Rosomakho
- [TLS]Re: [⚠️] Re: [EXTERNAL] Adoption call for SS… Bob Beck
- [TLS]Re: [⚠️] Re: [EXTERNAL] Adoption call for SS… Salz, Rich
- [TLS]Re: [⚠️] Re: [EXTERNAL] Adoption call for SS… Steven Valdez
- [TLS]Re: [EXTERNAL] Adoption call for SSLKEYLOG E… Stephen Farrell
- [TLS]Re: [⚠️] Re: [EXTERNAL] Adoption call for SS… Andrei Popov
- [TLS]Re: Adoption call for SSLKEYLOG Extension fi… Christopher Patton
- [TLS]Re: [⚠] Re: [EXTERNAL] Adoption call for SSL… Christian Huitema
- [TLS]Re: [⚠] Re: [EXTERNAL] Adoption call for SSL… Amir Omidi
- [TLS]Re: [⚠] Re: [EXTERNAL] Adoption call for SSL… Salz, Rich
- [TLS]Re: [EXTERNAL] Adoption call for SSLKEYLOG E… hannes.tschofenig
- [TLS]Re: [EXTERNAL] Adoption call for SSLKEYLOG E… Tim Bray
- [TLS]Re: [EXTERNAL] Adoption call for SSLKEYLOG E… Eric Rescorla
- [TLS]Re: [EXTERNAL] Adoption call for SSLKEYLOG E… Stephen Farrell
- [TLS]Re: [EXTERNAL] Adoption call for SSLKEYLOG E… Christian Huitema
- [TLS]Re: [EXTERNAL] Adoption call for SSLKEYLOG E… Ilari Liusvaara
- [TLS]Re: [EXTERNAL] Adoption call for SSLKEYLOG E… Amir Omidi
- [TLS]Re: [EXTERNAL] Adoption call for SSLKEYLOG E… Andrei Popov
- [TLS]Re: Adoption call for SSLKEYLOG Extension fi… Kyle Nekritz
- [TLS]Re: [EXTERNAL] Adoption call for SSLKEYLOG E… Mike Shaver