Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)

[Marsh Ray <marsh@extendedsubset.com>]

Marsh Ray <marsh@extendedsubset.com> writes:
> Should we only be concerned with passive eavesdropping? If so, then
> consider how much higher adoption could have been if the specs had
> endorsed anon-anon DH connections such that there was no need for
> admins to set up certificates for their mail servers before deploying
> encryption.

On 11/08/2010 06:38 PM, Peter Gutmann wrote:
> The spec already does, RSA-as-anon-DH-equivalent seems to be the
> default deployment mode outside of HTTPS in browsers (I've always
> found it amusing that anon-DH use in SSL/TLS is treated as some form
> of leprosy by SSL developers and then the admins who use it turn RSA
> into anon-DH anyway by whatever means they can, self-signed certs,
> openssl ca ...', throwaway free certs, ...).

:-)

On 11/08/2010 06:58 PM, Bill Frantz wrote:
>
> Don't underestimate the value of protection from passive
> eavesdropping.

For the record, I was sincerely more interested in how Peter would 
respond than I was arguing against the merits of unauthenticated encryption.

I do think, however, that unauthenticated encryption is scary. It has 
that combination of being easy to set up, it looks like great 
pseudorandom data on a network monitor, yet it provides absolutely no 
defense against an entire class of practical "attack". (I put it in the 
quotes to question the use of the term in cases where the specific 
security property is explicitly disclaimed.)

So maybe a little dogmatic phobia of ADH is appropriate to keep us on track?

> It buys you quite a bit in the mobile WiFi world,
> where trusting the network providers is not an unreasonable level of
> trust compared with trusting anyone who can hear your radio
> connection.

Which did you mean:

Mobile, i.e. GSM and CDMA?   - varying degrees of pwned.

Or "mobile" WiFi hotspots?   - pwned.

> As an exercise for the student: Do you trust your network provider
> more than you trust our current version of PKI?

Yeah good question.

My answer is that it's meaningless to talk about "trusting" my network 
provider, other than having expectation that they will deliver my 
packets with high probability and low latency (and bill me for it 
accurately). No security properties per se are guaranteed by the design 
of the Internet. This was an intentional decision on the part of its 
designers. There were plenty of other networks back then that tried to 
build in all sorts of properties like that, but use the net we have 
today because it just works better this way.

> My answer might depend on how the three letter agencies active where
> my packets may flow fit into my threat model.

You don't know the route your packets will take across the public net. 
Every packet may take a different route. Really.

Or alternatively, an attacker could arrange for your data to be 
transmitted from a geosynchronous satellite over an unencrypted downlink 
where they could be received anonymously by consumer equipment anywhere 
on the entire continent:
http://www.blackhat.com/presentations/bh-dc-10/Nve_Leonardo/BlackHat-DC-2010-Nve-Playing-with-SAT-1.2-wp.pdf

- Marsh