Re: [TLS] The risk of misconfiguration
Watson Ladd <watsonbladd@gmail.com> Wed, 07 May 2014 03:32 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F0B21A021D for <tls@ietfa.amsl.com>; Tue, 6 May 2014 20:32:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_48=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WviMx_5dpC-D for <tls@ietfa.amsl.com>; Tue, 6 May 2014 20:32:50 -0700 (PDT)
Received: from mail-yh0-x22e.google.com (mail-yh0-x22e.google.com [IPv6:2607:f8b0:4002:c01::22e]) by ietfa.amsl.com (Postfix) with ESMTP id 3C8E41A03FB for <tls@ietf.org>; Tue, 6 May 2014 20:32:48 -0700 (PDT)
Received: by mail-yh0-f46.google.com with SMTP id 29so379724yhl.19 for <tls@ietf.org>; Tue, 06 May 2014 20:32:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=cjij/q7y/M1Xc/xhnJvkqr36NJa7MbPkGHOIRe7Zvu4=; b=oQd0lTYjd9kHkdCJdn95OkY1NjZ32WL9tMNEWzKuF9ZUrfHjjogMIC9LnueNT5okuq JaSqbsUjtpaxk4Sms31eTSLA+D+A7DqrW8tAz53WDVZkOTMFAS6nPmlEli89FN0sZ8q/ lMTgY24WqaxfbiDIRNO59YG+0aM/1k4dYsZgtNuJ9bJqd8Hf1dQ8fuwKLX7XogU416xN IYkCn46OHeWaYJWjIhPS7iDIbVp9e4lCIRgZ6M1Ukz26SrZEAk2oLyWn85oklH6ldDqa 7hMi5exneH9/fdYOP8+P4T5OLY9VJwAxHwf8blRRfersvYqsoUL4Eq6br2xeHZ+6L/NQ qo6w==
MIME-Version: 1.0
X-Received: by 10.236.198.243 with SMTP id v79mr62186676yhn.87.1399433564092; Tue, 06 May 2014 20:32:44 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Tue, 6 May 2014 20:32:43 -0700 (PDT)
In-Reply-To: <20140507020023.GI27883@mournblade.imrryr.org>
References: <CACsn0cnvV9c5aH5p8cD1fJEzF4dmNXBaEaHCfkX82AZqKOUYaQ@mail.gmail.com> <53692FC2.1060009@akr.io> <20140506221344.GB27883@mournblade.imrryr.org> <536977E3.3000608@akr.io> <20140507002452.GH27883@mournblade.imrryr.org> <CACsn0ck5UtC9T1ktgAiWimWAxBPNoANfOEB8MOF9CfQLCMgSHw@mail.gmail.com> <20140507020023.GI27883@mournblade.imrryr.org>
Date: Tue, 06 May 2014 20:32:43 -0700
Message-ID: <CACsn0c=GqGGTs1maA-hkA641mvnuOy+pgT6imhuA+kpP5eX+pQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/SgAnJAigNNaACMRsmjhjOpLl2qE
Subject: Re: [TLS] The risk of misconfiguration
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 May 2014 03:32:52 -0000
On Tue, May 6, 2014 at 7:00 PM, Viktor Dukhovni <viktor1dane@dukhovni.org> wrote: > On Tue, May 06, 2014 at 06:08:52PM -0700, Watson Ladd wrote: > >> > We must not confuse implementation user-interface issues with >> > protocol issues. The protocol supports many different use-cases. >> > Interfaces for cipher selection in implementations are not protocol >> > issues. The OpenSSL cipherlist interface is beginning to get some >> > attention. That issue belongs on openssl-dev@openssl.org, not >> > tls@ietf.org. >> >> Agreed, but it's an example of the hazard that insecure modes present. > >> No matter how the choice is presented to end-users or application >> developers, so long as it is possible to misconfigure TLS, it will be >> misconfigured. > > In Postfix the user chooses a "cipher-grade" that sets the floor > on the set of enabled cipher-suites. The levels are monotone. > This is a simple interface that is rather difficult to mess up. Actually, it makes the same mistake as OpenSSL does:enabling anonymous ciphers even when configured to send a server certificate and use 128 bit encryption, without an additional option set. (Source: http://www.postfix.org/TLS_README.html, search for the Server-Side Cipher Controls section) At least the documentation notes that this happens, and tells you the option you really need. Of course, the sad state of TLS for email prevents this from being a problem in practice. Postfix is one of the better-written applications out there, with a team that gets it. That does not apply to all applications. It doesn't even apply to mobile banking applications. > The underlying definitions of these grades is also configurable, > but I strongly discourage users from attempting to touch these > without expert advice. > > This has worked well for nearly a decade with no evidence of > significant user confusion or misguided misconfiguration. > > User interfaces need to make the simple things easy and the > complicated things possible. > >> You can blame the end user or the programmer or the >> library writer all you want, but unless a library is willing to forgo >> supporting null ciphers, they will be used inadvertently. Why include >> something that should virtually never be used, when using it has bad >> consequences? > > The above is just a rhetorical rant. Risk cannot be banned out of > existence, but systems can be designed with greater safety in mind. > >> We've recognized the need for guidance on how to use TLS, hence >> formation of UTA. We're punting on implementation, although I recently >> got an email about the C standards body wanting to standardize APIs >> for networks, which, if they included TLS with a sane API would be >> wonderful. But the complexity that OpenSSL reveals is real: there is >> no way to support all possible combinations of ciphersuites without >> something this nasty to pick between them. > > The above is plainly false. Good systems offer many layers of > controls, some for naive users some for experts. They have high > and low level APIs, with the latter offering more fine-grained > control when needed. OpenSSL should be improved not neutered. > Software that only dumbs everything down is not progress, we need > software that is both usable and flexible. I'm a Hobbsean: our role is to assure the safety of encrypted traffic, even if people can't do what they want as a result. How many ciphersuites do you really need? Not 314, soon to increase with the addition of ChaCha20+Poly1305. (Which surprisingly we do need: very few of the block ciphers are side channel resistant) This number is actually an underestimate: ECDH and ECDHE indicate curve support separately from ciphersuite. In TLS 1.3 we've decided to take a vast number to the woodshed: the question now is to reenable null encryption. Maybe it's possible to make a configuration system that enables a considerable number of these ciphersuites without letting people blow their leg off accidentally. Experimental evidence largely indicates otherwise. Sincerely, Watson Ladd > > -- > Viktor. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Watson Ladd
- [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Alyssa Rowan
- Re: [TLS] The risk of misconfiguration James Cloos
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Andrei Popov
- Re: [TLS] The risk of misconfiguration Alyssa Rowan
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Ralph Holz
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Fedor Brunner
- Re: [TLS] The risk of misconfiguration Nikos Mavrogiannopoulos
- Re: [TLS] The risk of misconfiguration Warren Kumari
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Michael D'Errico
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Michael D'Errico
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Alyssa Rowan
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Alyssa Rowan
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Salz, Rich
- Re: [TLS] The risk of misconfiguration Alyssa Rowan
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Nico Williams
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Watson Ladd
- Re: [TLS] The risk of misconfiguration Nico Williams
- Re: [TLS] Fingerprinting weaknesses (was: The ris… Nico Williams
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Salz, Rich
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Manuel Pégourié-Gonnard
- Re: [TLS] The risk of misconfiguration Yoav Nir
- Re: [TLS] The risk of misconfiguration Salz, Rich
- Re: [TLS] The risk of misconfiguration Martin Rex
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Martin Thomson
- Re: [TLS] The risk of misconfiguration Stephen Farrell
- Re: [TLS] The risk of misconfiguration Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] The risk of misconfiguration Manuel Pégourié-Gonnard
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Russ Housley
- Re: [TLS] The risk of misconfiguration Bill Frantz
- Re: [TLS] The risk of misconfiguration Michael D'Errico
- Re: [TLS] The risk of misconfiguration Daniel Kahn Gillmor
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration (Muphry's … Viktor Dukhovni
- Re: [TLS] The risk of misconfiguration Watson Ladd
- Re: [TLS] The risk of misconfiguration Stephen Farrell
- Re: [TLS] The risk of misconfiguration Viktor Dukhovni