IETF Logo Mail Archive

Re: [TLS] The risk of misconfiguration

Watson Ladd <watsonbladd@gmail.com> Wed, 07 May 2014 03:32 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F0B21A021D for <tls@ietfa.amsl.com>; Tue, 6 May 2014 20:32:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_48=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WviMx_5dpC-D for <tls@ietfa.amsl.com>; Tue, 6 May 2014 20:32:50 -0700 (PDT)
Received: from mail-yh0-x22e.google.com (mail-yh0-x22e.google.com [IPv6:2607:f8b0:4002:c01::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 3C8E41A03FB for <tls@ietf.org>; Tue, 6 May 2014 20:32:48 -0700 (PDT)
Received: by mail-yh0-f46.google.com with SMTP id 29so379724yhl.19 for <tls@ietf.org>; Tue, 06 May 2014 20:32:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=cjij/q7y/M1Xc/xhnJvkqr36NJa7MbPkGHOIRe7Zvu4=; b=oQd0lTYjd9kHkdCJdn95OkY1NjZ32WL9tMNEWzKuF9ZUrfHjjogMIC9LnueNT5okuq JaSqbsUjtpaxk4Sms31eTSLA+D+A7DqrW8tAz53WDVZkOTMFAS6nPmlEli89FN0sZ8q/ lMTgY24WqaxfbiDIRNO59YG+0aM/1k4dYsZgtNuJ9bJqd8Hf1dQ8fuwKLX7XogU416xN IYkCn46OHeWaYJWjIhPS7iDIbVp9e4lCIRgZ6M1Ukz26SrZEAk2oLyWn85oklH6ldDqa 7hMi5exneH9/fdYOP8+P4T5OLY9VJwAxHwf8blRRfersvYqsoUL4Eq6br2xeHZ+6L/NQ qo6w==
MIME-Version: 1.0
X-Received: by 10.236.198.243 with SMTP id v79mr62186676yhn.87.1399433564092; Tue, 06 May 2014 20:32:44 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Tue, 6 May 2014 20:32:43 -0700 (PDT)
In-Reply-To: <20140507020023.GI27883@mournblade.imrryr.org>
References: <CACsn0cnvV9c5aH5p8cD1fJEzF4dmNXBaEaHCfkX82AZqKOUYaQ@mail.gmail.com> <53692FC2.1060009@akr.io> <20140506221344.GB27883@mournblade.imrryr.org> <536977E3.3000608@akr.io> <20140507002452.GH27883@mournblade.imrryr.org> <CACsn0ck5UtC9T1ktgAiWimWAxBPNoANfOEB8MOF9CfQLCMgSHw@mail.gmail.com> <20140507020023.GI27883@mournblade.imrryr.org>
Date: Tue, 06 May 2014 20:32:43 -0700
Message-ID: <CACsn0c=GqGGTs1maA-hkA641mvnuOy+pgT6imhuA+kpP5eX+pQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/SgAnJAigNNaACMRsmjhjOpLl2qE
Subject: Re: [TLS] The risk of misconfiguration
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 May 2014 03:32:52 -0000

On Tue, May 6, 2014 at 7:00 PM, Viktor Dukhovni
<viktor1dane@dukhovni.org> wrote:
> On Tue, May 06, 2014 at 06:08:52PM -0700, Watson Ladd wrote:
>
>> > We must not confuse implementation user-interface issues with
>> > protocol issues.  The protocol supports many different use-cases.
>> > Interfaces for cipher selection in implementations are not protocol
>> > issues.  The OpenSSL cipherlist interface is beginning to get some
>> > attention.  That issue belongs on openssl-dev@openssl.org, not
>> > tls@ietf.org.
>>
>> Agreed, but it's an example of the hazard that insecure modes present.
>
>> No matter how the choice is presented to end-users or application
>> developers, so long as it is possible to misconfigure TLS, it will be
>> misconfigured.
>
> In Postfix the user chooses a "cipher-grade" that sets the floor
> on the set of enabled cipher-suites.  The levels are monotone.
> This is a simple interface that is rather difficult to mess up.

Actually, it makes the same mistake as OpenSSL does:enabling anonymous
ciphers even when configured to send a server certificate and use 128
bit encryption, without an additional option set. (Source:
http://www.postfix.org/TLS_README.html, search for the Server-Side
Cipher Controls section)

At least the documentation notes that this happens, and tells you the
option you really need. Of course, the sad state of TLS for email
prevents this from being a problem in practice. Postfix is one of the
better-written applications out there, with a team that gets it. That
does not apply to all applications. It doesn't even apply to mobile
banking applications.

> The underlying definitions of these grades is also configurable,
> but I strongly discourage users from attempting to touch these
> without expert advice.
>
> This has worked well for nearly a decade with no evidence of
> significant user confusion or misguided misconfiguration.
>
> User interfaces need to make the simple things easy and the
> complicated things possible.
>
>> You can blame the end user or the programmer or the
>> library writer all you want, but unless a library is willing to forgo
>> supporting null ciphers, they will be used inadvertently. Why include
>> something that should virtually never be used, when using it has bad
>> consequences?
>
> The above is just a rhetorical rant.  Risk cannot be banned out of
> existence, but systems can be designed with greater safety in mind.
>
>> We've recognized the need for guidance on how to use TLS, hence
>> formation of UTA.  We're punting on implementation, although I recently
>> got an email about the C standards body wanting to standardize APIs
>> for networks, which, if they included TLS with a sane API would be
>> wonderful. But the complexity that OpenSSL reveals is real: there is
>> no way to support all possible combinations of ciphersuites without
>> something this nasty to pick between them.
>
> The above is plainly false.  Good systems offer many layers of
> controls, some for naive users some for experts.  They have high
> and low level APIs, with the latter offering more fine-grained
> control when needed.  OpenSSL should be improved not neutered.
> Software that only dumbs everything down is not progress, we need
> software that is both usable and flexible.

I'm a Hobbsean: our role is to assure the safety of encrypted traffic,
even if people can't do what they want as a result. How many
ciphersuites do you really need? Not 314, soon to increase with the
addition of ChaCha20+Poly1305. (Which surprisingly we do need: very
few of the block ciphers are side channel resistant) This number is
actually an underestimate: ECDH and ECDHE indicate curve support
separately from ciphersuite. In TLS 1.3 we've decided to take a vast
number to the woodshed: the question now is to reenable null
encryption.

Maybe it's possible to make a configuration system that enables a
considerable number of these ciphersuites without letting people blow
their leg off accidentally. Experimental evidence largely indicates
otherwise.

Sincerely,
Watson Ladd
>
> --
>         Viktor.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email