[TLS] The risk of misconfiguration

[Watson Ladd <watsonbladd@gmail.com>]

Dear all,

Do you know what your TLS configurations mean? If you use OpenSSL,
probably not: apparently "HIGH" enables ADH ciphersuites. It does so
before permitting AES128 with an authenticated ECDHE exchange. Sorting
by strength puts DES ahead of AES128: I've got no idea how that
happened. (Yes, DES: 3DES is indicated differently. Maybe it is really
3DES, but even so...). I haven't found the email yet, but someone
indicated they saw this in the wild on the list, actually leading to
ADH happening due to an interaction between this and another borked
configuration.

I've sort of singled out OpenSSL here. PolarSSL uses compile-time
configuration, which in some circumstances doesn't work, but it at
least provides a somewhat sensible configuration depending on how you
build it.I've not looked at GnuTLS yet, or cryptlib.

Actually configuring OpenSSL to do something reasonable requires
writing something like
EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:EECDH+RC4:RSA+RC4:!MD5.
Good luck coming up with that when you are overly busy, don't realize
that asking for high security doesn't actually do what you want, and
don't know anything about crypto.

Part of the issue is that we've enabled dangerous options like NULL
ciphers and anonymous DH, which very, very few people should ever use.
The other part of the issue is software quality. But a third part of
the issue is the lack of guidance, which UTA was supposedly going to
address.

So how do we fix this? Well, one thing we can do is ensure that the
least secure options are reasonably secure, so if they are enabled it
isn't a disaster. Authentication-only ciphersuites fail that test. I
appreciate the performance issue, and yes, sometimes you don't need
encryption. But I think the number of people who accidentally enabled
ADH is an order of magnitude more than those who actually wanted it.

Sincerely,
Watson Ladd