IETF Logo Mail Archive

Re: [TLS] Should TLS 1.3 use an augmented PAKE by default?

"Ryan Sleevi" <ryan-ietftls@sleevi.com> Wed, 19 March 2014 16:20 UTC

Return-Path: <ryan-ietftls@sleevi.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B56B1A0709 for <tls@ietfa.amsl.com>; Wed, 19 Mar 2014 09:20:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.665
X-Spam-Level:
X-Spam-Status: No, score=-1.665 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, SPF_FAIL=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WAs4_K0rJ4pu for <tls@ietfa.amsl.com>; Wed, 19 Mar 2014 09:20:43 -0700 (PDT)
Received: from homiemail-a104.g.dreamhost.com (agjbgdcfdbeb.dreamhost.com [69.163.253.141]) by ietfa.amsl.com (Postfix) with ESMTP id 4CCDA1A07B2 for <tls@ietf.org>; Wed, 19 Mar 2014 09:20:42 -0700 (PDT)
Received: from homiemail-a104.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a104.g.dreamhost.com (Postfix) with ESMTP id 9E9EC20087EAF; Wed, 19 Mar 2014 09:20:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sleevi.com; h=message-id :in-reply-to:references:date:subject:from:to:cc:reply-to :mime-version:content-type:content-transfer-encoding; s= sleevi.com; bh=yN7FzxCqC90fmnSEjBjjFxVJMaY=; b=XmEhYAJVLit14OHgA syqMYBz5DxmjD9o3OSHF/yJ53HSKlaCaOBXaab8WhzinKhpkivv0byQskHo8Fq+O we/FfJgpTQ5+wCvlTzOy41l+UjbQuhc/m1mM/BHTzwOLYvArfgV8v7tUP94DYOB+ 9Xo88KAQgsAm4uFhFcxF2y2rdw=
Received: from webmail.dreamhost.com (caiajhbihbdd.dreamhost.com [208.97.187.133]) (Authenticated sender: ryan@sleevi.com) by homiemail-a104.g.dreamhost.com (Postfix) with ESMTPA id 69CAB20087EAA; Wed, 19 Mar 2014 09:20:33 -0700 (PDT)
Received: from 173.8.157.162 (proxying for 173.8.157.162) (SquirrelMail authenticated user ryan@sleevi.com) by webmail.dreamhost.com with HTTP; Wed, 19 Mar 2014 09:20:33 -0700
Message-ID: <e38419e3ada3233dbb3f860048703347.squirrel@webmail.dreamhost.com>
In-Reply-To: <CALCETrUz8zCBHiq42GTnkkSaBcpA5pjSvk6kwwPjzn+MtBKMgA@mail.gmail.com>
References: <53288C43.9010205@mit.edu> <5328B6DF.8070703@fifthhorseman.net> <5328C0C8.9060403@mit.edu> <6b79e0820d349720f12b14d4706a8a5d.squirrel@webmail.dreamhost.com> <CALCETrUz8zCBHiq42GTnkkSaBcpA5pjSvk6kwwPjzn+MtBKMgA@mail.gmail.com>
Date: Wed, 19 Mar 2014 09:20:33 -0700
From: Ryan Sleevi <ryan-ietftls@sleevi.com>
To: Andy Lutomirski <luto@amacapital.net>
User-Agent: SquirrelMail/1.4.21
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/BWpI9R2vTra7KQvjyVLAOzbwykY
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Should TLS 1.3 use an augmented PAKE by default?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: ryan-ietftls@sleevi.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Mar 2014 16:20:45 -0000

On Wed, March 19, 2014 9:06 am, Andy Lutomirski wrote:
>  On Tue, Mar 18, 2014 at 10:54 PM, Ryan Sleevi <ryan-ietftls@sleevi.com>
>  wrote:
> > I have yet to hear of a good mail client
> > "phishing" attack (you *are* validating your IMAP certs, right?), so
> > this
> > seems almost predominantly an issue of attacker-controlled UI - that is,
> > the web.
>
>  Even for IMAP, using PAKE, augmented or balanced, would give a
>  significant amount of protection against MITMs who have compromised a
>  CA.  Since compromising a CA seems to be a popular thing to do these
>  days, resisting these attacks at the protocol level would add
>  considerable value.
>
>  --Andy
>

Or use key pinning - http://tools.ietf.org/html/draft-ietf-websec-key-pinning

Or use DANE - https://tools.ietf.org/html/rfc6698

My point is you can see on this list archives two common threads:
- A desire to reduce, as much as possible, the complexity of TLS
- Not a lot of fondness for another PAKE

I applaud your zeal, and my hope and goal is to try to highlight that
you're trying to solve the wrong problem. On the browser side, on the site
side, and the user side - your target demographics - no one is really
saying "Aww, if only I had a PAKE! That's what my security solution
needs".

If you're still convinced that *this* is the thing that TLS is missing, I
would only encourage you to reach out and try to first come up with a
solution for "how the password gets in the browser" before trying to
figure out how the browser gets it to the server. That will at least burn
a decade of energy and enthusiasm.

Note that the solution equally fails to meet your goals, because you will
always have browsers that don't support your solution - so sites wanting
to use it will still have to support 'naked' passwords. Equally, for
browsers, there will always be sites that continue to support the <input
type="password"> authentication (not the least because it's part of
HTML5), so they will always be phishable via downgrade attacks - not of
the TLS type, but of the UX type.

So your goal of providing a more secure UI is not really achievable, and
where it is, it's not really secure.

If that's the only justification/goal for the augmented PAKE (and your
replies suggest it is), let's just save the trouble and say "meh".

v2.23.0 | Report a Bug | By Email