Re: [TLS] Proposal for detecting fraudulent certificates

Max Pritikin <pritikin@cisco.com> Mon, 26 September 2011 16:30 UTC

Return-Path: <pritikin@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D6C81F0C41 for <tls@ietfa.amsl.com>; Mon, 26 Sep 2011 09:30:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tlu1UI4oGqdH for <tls@ietfa.amsl.com>; Mon, 26 Sep 2011 09:30:06 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id 6CF211F0C3C for <tls@ietf.org>; Mon, 26 Sep 2011 09:30:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=pritikin@cisco.com; l=3449; q=dns/txt; s=iport; t=1317054770; x=1318264370; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=P06aXEC6Dc6zAPzBBxzoaojeojJTFBSxdctBbngRMME=; b=fh6sXKzwTfw0m2VHJw898duZSQ847iGMfkjtLbJSfcykeucsgdAEaZh+ /t/23i89ls2Go7MPD94Ttg1E67ndntoktQINeiEY6UfiihxRnE1sA5PKN JJmyvgbw1KTH7gZWMSLYYnrHPcXBO4TnjZIYEVO3Miu/iMNujvwK8PEJd A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av4EAP2ogE6tJV2Y/2dsb2JhbABCqBF4gVMBAQEBAgEBAQEPAScfFQsFCwsYLicwGSKHVgacYAGOKo9whitgBIdyi2CRUQ
X-IronPort-AV: E=Sophos;i="4.68,445,1312156800"; d="scan'208";a="24088515"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-7.cisco.com with ESMTP; 26 Sep 2011 16:32:49 +0000
Received: from rtp-vpn4-1152.cisco.com (rtp-vpn4-1152.cisco.com [10.82.212.128]) by rcdn-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id p8QGWlg0022617; Mon, 26 Sep 2011 16:32:47 GMT
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset=us-ascii
From: Max Pritikin <pritikin@cisco.com>
In-Reply-To: <201109261605.p8QG5vRC013367@fs4113.wdf.sap.corp>
Date: Mon, 26 Sep 2011 11:21:53 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <4A5A089A-0F7C-4CDD-8104-F6411FC4D710@cisco.com>
References: <201109261605.p8QG5vRC013367@fs4113.wdf.sap.corp>
To: mrex@sap.com
X-Mailer: Apple Mail (2.1084)
Cc: tls@ietf.org
Subject: Re: [TLS] Proposal for detecting fraudulent certificates
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2011 16:30:07 -0000

In the extreme case an invalid sub-CA certificate would be missed by this method unless clients send the entire chain, so I understand the author's motivation for completeness. 

The intention of this idea is to give web server administrators a tool for discovering fraudulent certificates in the wild. The concern isn't so much that a few individuals, perhaps even ones on a several week trip through evil country YYY, get MitM'd but rather that the web site administrator receives a clue within some "reasonable" timeframe. 

What defines "reasonable" and if it is sufficient to drive implementations toward supporting this extension is a harder question. 

- max

On Sep 26, 2011, at 11:05 AM, Martin Rex wrote:

> Florian Weimer wrote:
>> 
>> I have submitted draft-weimer-tls-previous-certificate-00, which intents
>> to facilitate detection of fraudulent certificates used in the wild:
>> 
>> <http://tools.ietf.org/html/draft-weimer-tls-previous-certificate-00>
>> 
>> The basic idea is to use leaks from mobile clients moving between
>> networks with and without a clear path to the server.  The previous
>> server certificate chain is included in the client hello, so the server
>> receives it when the client transitions to a network with a clear path.
>> 
>> This draft prompted my previous question about extension size limits.
>> Unfortunately, that issue makes this very simple idea somewhat
>> complicated, but I tried to add a fairly straightforward workaround.
> 
> Having the client send _only_ the servers certificate and not the
> entire certificate path should IMO be sufficient for the purpose you
> outline.
> 
> I don't know why you think the 64 KByte TLS extension size limit would
> be a problem.
> 
> A non-marginal fraction of the installed base of TLS will puke when
> encountering a TLS handshake message that is split/fragmented across
> TLS record boundaries (which have a limit of 16 KByte).  The currently
> most likely situation where this occurs (and the only one that
> I've seen in the wild so far) are the CertificateRequest handshake
> message contains a large number (60+) of certification_authorities.
> Usually, the server tries to stuff the server response
> (ServerHello,Certificate, CertificateRequest,ServerHelloDone)
> into one single 16 KByte SSL Record, so even fitting the Server's
> certificate chain alone should not normally be a problem.
> 
> 
> But I don't see how this extension could realistically work in a
> sane fashion.  The TLS implementation in TLS servers is not normally
> keeping a history of previous TLS Server certificates which it ever
> used (and might not have a persistence of its own for such a purpose),
> usually not even across process restarts, and having TLS backends of
> a Web-Server-Farm or hot-backups keep such a history in a consistent
> fashion is even more unlikely.
> 
> And end users would probably prefer their TLS clients to tell them right
> away when a server credential changes unexpectedly, rather than
> a TLS server telling them, after they come home from a several weeks
> trip through some contry YYY, that their last several week of connect(s)
> had all been MITMd...
> 
> 
> -Martin
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls