Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)
Marsh Ray <marsh@extendedsubset.com> Thu, 11 November 2010 20:34 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BB02B3A687F; Thu, 11 Nov 2010 12:34:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.353
X-Spam-Level:
X-Spam-Status: No, score=-2.353 tagged_above=-999 required=5 tests=[AWL=-0.354, BAYES_00=-2.599, J_CHICKENPOX_15=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RQGhOvDwIe+6; Thu, 11 Nov 2010 12:34:18 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 186F53A682F; Thu, 11 Nov 2010 12:34:17 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1PGdr5-000NNI-Fp; Thu, 11 Nov 2010 20:34:47 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 4F4146019; Thu, 11 Nov 2010 20:34:45 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1//p1qEdSP+eXi2riQpch9MnqucOFnKfis=
Message-ID: <4CDC5364.7020804@extendedsubset.com>
Date: Thu, 11 Nov 2010 14:34:44 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.15) Gecko/20101027 Thunderbird/3.0.10
MIME-Version: 1.0
To: Nicolas Williams <Nicolas.Williams@oracle.com>
References: <4CD83312.5060000@extendedsubset.com> <20101108202407.GO6536@oracle.com> <4CD86FC4.4070308@extendedsubset.com> <20101108221016.GT6536@oracle.com> <4CD8A811.1080801@extendedsubset.com> <20101109035040.GA6536@oracle.com> <4CD98A16.4070004@extendedsubset.com> <20101109181114.GE6536@oracle.com> <007d01cb81bf$548f3880$4001a8c0@gateway.2wire.net> <4CDC3332.7060402@extendedsubset.com> <20101111201404.GG6536@oracle.com>
In-Reply-To: <20101111201404.GG6536@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, tsvwg@ietf.org, tls@ietf.org
Subject: Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Nov 2010 20:34:18 -0000
On 11/11/2010 02:14 PM, Nicolas Williams wrote: > On Thu, Nov 11, 2010 at 12:17:22PM -0600, Marsh Ray wrote: >> On 11/11/2010 10:41 AM, t.petch wrote: >>> >>> To return to (what I see as) the main purpose of the thread, I too >>> think that StartTLS is a good, if not an excellent idea; I see no >>> difference in the vulnerabilities (although my cryptanalysis is weak). >> >> Well, that's the thing. In theory there is no difference, in >> practice however... > > FUD alert. I suppose this conversation isn't going anywhere useful. I'll not burden the WG list(s) with it any longer. Anyone who wants to, feel free to keep up the discussion with 'reply all'. > You're not explaining why no one uses HTTP StartTLS. Because my point was that it's not relevant to the discussion. But I seemed to have just confused the issue by mentioning it at all. > Without tracing every program you can't tell if the program is lying to > you about anything, anything at all. Your program could be trojaned and > might be sharing your secret credentials with the bad guys. Why stop there? There is a whole industry's worth of evidence that even professional programmers working in heavily peer-reviewed environments can't write substantial programs without backdoors, intentional or not. The CPU in your/my computer (or most any of the other chips) has undocumented opcodes. The chip designers send their stuff off to someone else to be manufactured, too. Still, I need to know if my email program is willing to send my password in plaintext. I claim only that there is a difference between the way my web browser handles http/https over TCP ports 80/443, and the way my email program handles STARTTLS. It may, in fact, be entirely implementation issues that make the difference. But still something could be gained by the discussion. - Marsh
- [TLS] Security concerns around co-locating TLS an… Magnus Westerlund
- Re: [TLS] Security concerns around co-locating TL… Michael D'Errico
- Re: [TLS] Security concerns around co-locating TL… Paul Hoffman
- Re: [TLS] Security concerns around co-locating TL… Magnus Westerlund
- Re: [TLS] Security concerns around co-locating TL… Marsh Ray
- Re: [TLS] Security concerns around co-locating TL… Geoffrey Keating
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Richard Hartmann
- Re: [TLS] Security concerns around co-locating TL… Martin Rex
- Re: [TLS] Security concerns around co-locating TL… Marsh Ray
- Re: [TLS] Security concerns around co-locating TL… Marsh Ray
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Richard Hartmann
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Bill Frantz
- Re: [TLS] Security concerns around co-locating TL… Marsh Ray
- Re: [TLS] Security concerns around co-locating TL… Marsh Ray
- Re: [TLS] Security concerns around co-locating TL… Marsh Ray
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Bill Frantz
- Re: [TLS] Security concerns around co-locating TL… Steingruebl, Andy
- Re: [TLS] Security concerns around co-locating TL… t.petch
- Re: [TLS] Security concerns around co-locating TL… Michael D'Errico
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… t.petch
- Re: [TLS] Security concerns around co-locating TL… Marsh Ray
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Michael D'Errico
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Yoav Nir
- Re: [TLS] Security concerns around co-locating TL… Nelson B Bolyard
- Re: [TLS] Security concerns around co-locating TL… Peter Saint-Andre
- Re: [TLS] Security concerns around co-locating TL… Bill Frantz
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Michael D'Errico
- Re: [TLS] Security concerns around co-locating TL… Martin Rex
- Re: [TLS] Security concerns around co-locating TL… Juho Vähä-Herttua
- Re: [TLS] Security concerns around co-locating TL… Juho Vähä-Herttua
- Re: [TLS] Security concerns around co-locating TL… Martin Rex
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Marsh Ray
- Re: [TLS] Security concerns around co-locating TL… Martin Rex
- Re: [TLS] Security concerns around co-locating TL… Martin Rex
- Re: [TLS] Security concerns around co-locating TL… Michael D'Errico
- Re: [TLS] Security concerns around co-locating TL… Nikos Mavrogiannopoulos
- Re: [TLS] Security concerns around co-locating TL… t.petch
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Marsh Ray
- Re: [TLS] Security concerns around co-locating TL… Martin Rex
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Marsh Ray
- Re: [TLS] Security concerns around co-locating TL… Martin Rex
- Re: [TLS] Security concerns around co-locating TL… Michael D'Errico
- Re: [TLS] Security concerns around co-locating TL… Martin Rex
- Re: [TLS] Security concerns around co-locating TL… Martin Rex
- Re: [TLS] Security concerns around co-locating TL… Chris Newman
- Re: [TLS] Security concerns around co-locating TL… Nico Williams
- Re: [TLS] Security concerns around co-locating TL… Matt DeMoss
- Re: [TLS] Security concerns around co-locating TL… Yoav Nir
- Re: [TLS] Security concerns around co-locating TL… Joe Touch