IETF Logo Mail Archive

Re: [TLS] Another [Well-deserved] attack on TLS CCA

Anders Rundgren <anders.rundgren@telia.com> Wed, 19 June 2013 04:56 UTC

Return-Path: <anders.rundgren@telia.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C543B21F9D02 for <tls@ietfa.amsl.com>; Tue, 18 Jun 2013 21:56:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8c06kr3NBCFu for <tls@ietfa.amsl.com>; Tue, 18 Jun 2013 21:56:17 -0700 (PDT)
Received: from smtp-out12.han.skanova.net (smtp-out12.han.skanova.net [195.67.226.212]) by ietfa.amsl.com (Postfix) with ESMTP id A2DAF21F9CF7 for <tls@ietf.org>; Tue, 18 Jun 2013 21:56:16 -0700 (PDT)
Received: from [192.168.0.203] (213.64.1.89) by smtp-out12.han.skanova.net (8.5.133) (authenticated as u36408181) id 51B4DDE7002688E0; Wed, 19 Jun 2013 06:56:11 +0200
Message-ID: <51C139E8.9070206@telia.com>
Date: Wed, 19 Jun 2013 06:56:08 +0200
From: Anders Rundgren <anders.rundgren@telia.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130509 Thunderbird/17.0.6
MIME-Version: 1.0
To: Geoffrey Keating <geoffk@geoffk.org>
References: <51C0A762.9030909@telia.com> <m2obb3qes1.fsf@localhost.localdomain> <51C0DC81.3010908@telia.com> <m2k3lrq97i.fsf@localhost.localdomain>
In-Reply-To: <m2k3lrq97i.fsf@localhost.localdomain>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "'tls@ietf.org'" <tls@ietf.org>
Subject: Re: [TLS] Another [Well-deserved] attack on TLS CCA
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jun 2013 04:56:22 -0000

On 2013-06-19 01:40, Geoffrey Keating wrote:
> Anders Rundgren <anders.rundgren@telia.com> writes:
> 
>> On 2013-06-18 23:39, Geoffrey Keating wrote:
>>> Anders Rundgren <anders.rundgren@telia.com> writes:
>>>
>>>> https://sites.google.com/site/oauthgoog/gnubby
>>>>
>>>> Luckily for all users Google didn't select TLS CCA (Client Certificate
>>>> Authentication) for their coming U2F system; only a moron would base a
>>>> future consumer authentication system on a scheme that is only suited
>>>> for VPN tunnels and invisible authentications like as ChannelID.
>>>>
>>>> What's missing you may wonder?  Well, how about
>>>>
>>>> - Compatibility with web sessions including timeout and logout
>>>
>>> Logout is a client-side function, and occurs (typically) when the user
>>> logs out of their local session and/or quits their web browser.
>>> Timeout occurs when the TLS connection is closed due to inactivity
>>> (typically 60 seconds) and the session resumption token is expired,
>>> which is up to the server; or, looking at it another way, when the
>>> user's screen lock triggers due to inactivity.
>>
>> Yes, but this is not how most web apps work today for good or for worse.
> 
> That's because most web apps require the user to type a password, but
> you can't require the user to type a password on every click, so they
> only ask the user to enter the password once, and then they have to
> maintain authentication status information using cookies (or similar).
> Client certificates avoid this entirely; you don't need cookies, you
> can authenticate on every request.  This can dramatically simplify the
> design of a web app.
> 
> At least, that's one way to do it.  If you're doing two-factor, you
> can combine this with a password: you still have a session, with
> login, logout and timeout, but you also require that every connection be tied
> to the client certificate.

A fly in the soup is that few if any of the web-server application frameworks
out there like Java Servlets have any information or control over the TLS session.
You'd probably have to program at "MOD-SSL" level or something like that :-)

> 
>>>> - A working credential filtering system
>>>
>>> I think this is mostly due to lack of demand.  I wouldn't say it isn't
>>> "working", just that as commonly implemented, it isn't very good.
>>
>> There is a perceived little demand because many organizations who are big
>> users of consumer-PKI have no voice in the IETF.  I believe these guys
>> would be slaughtered by the IETF bunch since they don't have exactly the
>> same "lingo" and probably don't know very much about inner life of TLS.
> 
> Asking at the IETF is definitely the wrong place to start this.  At
> present there's no consensus that any protocol changes are required
> let alone what these changes might be.  These organizations need to
> ask the OS and/or browser vendors for better support, explaining in
> detail what they need and why, and those vendors can work with them
> and then if necessary do any protocol design under the IETF umbrella.

Today VISA and MasterCard authorize credit-card transactions on the
Internet with a "User ID" (card number + other details) together
with a "Password" (CCV) printed in clear (!) on the back of the card.

It is pretty obvious that there is a total disconnect between the
different parties so we are essentially at the mercy of tech giants
like Google who "can think for everybody else".  Google have (with U2F)
indirectly declared TLS CCA as not useful for consumer-auth and that's
about it.

Anders

>

v2.29.0 | Report a Bug | By Email | System Status