Re: [TLS] Heartbleed / protocol complexity
Patrick Pelletier <code@funwithsoftware.org> Mon, 14 April 2014 02:03 UTC
Return-Path: <code@funwithsoftware.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A97E1A02F9 for <tls@ietfa.amsl.com>; Sun, 13 Apr 2014 19:03:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ruhV3S8B4tis for <tls@ietfa.amsl.com>; Sun, 13 Apr 2014 19:03:48 -0700 (PDT)
Received: from mail24c25-2209.carrierzone.com (mail7c25.carrierzone.com [64.29.147.17]) by ietfa.amsl.com (Postfix) with ESMTP id 8D5D21A02EC for <tls@ietf.org>; Sun, 13 Apr 2014 19:03:48 -0700 (PDT)
X-Authenticated-User: ppelleti.speakeasy.net
Received: from WhiteAndNerdy.local (dsl017-096-185.lax1.dsl.speakeasy.net [69.17.96.185]) (authenticated bits=0) by mail24c25-2209.carrierzone.com (8.13.6/8.13.1) with ESMTP id s3E23JtU018175 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Mon, 14 Apr 2014 02:03:21 +0000
Message-ID: <534B41E7.2060004@funwithsoftware.org>
Date: Sun, 13 Apr 2014 19:03:19 -0700
From: Patrick Pelletier <code@funwithsoftware.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: Watson Ladd <watsonbladd@gmail.com>, Dan Brown <dbrown@certicom.com>, "tls@ietf.org" <tls@ietf.org>
References: <20140409232505.0d6e02b8@hboeck.de> <CABkgnnX1hrEOmuorkx6st-0V4WAv4YQ9GjiWRtYQyeu6HTXLcA@mail.gmail.com> <5346E261.6070602@gmx.net> <20140411002030.6672532.52002.12768@certicom.com> <CACsn0ckUaN1KapigGfFxr6PsZjfiMZtD-nWqaAw71YfhPJAtxg@mail.gmail.com>
In-Reply-To: <CACsn0ckUaN1KapigGfFxr6PsZjfiMZtD-nWqaAw71YfhPJAtxg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-CSC: 0
X-CHA: v=2.1 cv=f9dxWoCM c=1 sm=1 tr=0 a=3bGt9MXpJgS1DxBngKRbCQ==:117 a=3bGt9MXpJgS1DxBngKRbCQ==:17 a=eVbW6KzvAAAA:8 a=g0qM3YM6AAAA:8 a=Cl-syre4SQwA:10 a=0UrRPsxmZrwA:10 a=rtZ2W72OR7QA:10 a=IkcTkHD0fZMA:10 a=SF9KqDZ7AAAA:8 a=CFUF-9m0FYj6wTlU3NsA:9 a=yzQCUNNwnOsEqCj7:21 a=1PjgaCcA5NJQwRR_:21 a=QEXdDO2ut3YA:10
X-CTCH-RefID: str=0001.0A020206.534B41EA.004B, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0
X-CTCH-VOD: Unknown
X-CTCH-Spam: Unknown
X-CTCH-Score: 0.000
X-CTCH-Rules:
X-CTCH-Flags: 0
X-CTCH-ScoreCust: 0.000
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Y0cZuqkhw9wN8z-ZtJ00xa6q2Bw
Subject: Re: [TLS] Heartbleed / protocol complexity
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Apr 2014 02:03:50 -0000
On 4/10/14, 7:24 PM, Watson Ladd wrote: > Systematically ensuring that all invalid length combinations would > have triggered an error would have worked. That's more than some test > vectors. Furthermore, it's not clear how you supply test vectors to a > protocol implementation: it can be done, and should be, but it is > quite a bit of work. Presumably in the form of a pathological client (or server) that sends nasty things to its peer, and checks how it responds to them. Although it would be a lot of work, I think the first step would just be establishing such a test suite that could be used by all TLS implementations, and then many could contribute to it over time. > What could have mitigated this bug would be not disabling OS > protection measures in malloc. Had OpenSSL not used their own malloc, > then on OpenBSD the malloc flags "FGJZ" would have significantly > reduced the impact of the attack, and quite possibly crashed the > process if exploitation was tried. (OpenSSL has bugs that are only > found when you disable their own malloc wrapper, which is why they > didn't do it). Can you elaborate on this, or point me to a place where it has been discussed before? Although crypto/mem.c is complicated enough that I could easily be missing something, I thought that by default, CRYPTO_malloc essentially just wraps the system malloc. How does this wrapper make the system malloc behave any differently? > Various proposals for taint analysis in C have floated around for a > number of years. However, qmail demonstrates that one can write secure > C code without this assistance. One *can* write secure code in any language, but it's a question of ease and probability. Even though DJB can write secure C code, I'm of the opinion that on the whole we'd be a lot better off if security-critical code was written in a memory-safe language. > Furthermore, there was no need to implement heartbeats over TLS for > web servers. Yes. It seems like TLS/DTLS could benefit from "profiles" indicating which features are recommended for which uses. There could be a "web profile", a "mail profile", an "Internet of Things" profile. etc. > However, the fundamental problem isn't anything more than the > developers of OpenSSL being lackadaisical about security. I'm inclined to agree with you, but to be a bit more charitable and specific, I think the problem boils down to two main things: 1) Lack of process. It's unclear who's in charge of OpenSSL, how they decide what features to put in or leave out, when they decide to fix bugs, and so forth. Bugs often languish in the bug tracker, without ever being marked "yes, we will fix this" or "no, we won't." For an outsider, it's unclear how to become involved in OpenSSL in a constructive way, since there seems to be a lack of structure, and almost a certain hostility to outsiders. 2) Trying to be all things to all people. OpenSSL is a huge, general-purpose cryptography library, of which TLS is only a part, despite the name. Besides having the kitchen sink, feature-wise, it also tries to be extremely portable. Supporting obscure, obsolete, or embedded operating systems means the code is much more complicated than it needs to be to support typical use on mainstream desktop and server operating systems. Not to mention that a lot of code is doubled due to the FIPS versus non-FIPS distinction. > miTLS does a much better job, is in a > high level language, costs 10x as much in computation time, and is > guaranteed to be correct. Yes, miTLS seems very tantalizing; it seems like it ought to be used more. (Although I shouldn't be one to talk, since I'm using OpenSSL in my project at work, despite all of its horribleness.) --Patrick
- [TLS] Heartbleed / protocol complexity Hanno Böck
- Re: [TLS] Heartbleed / protocol complexity Martin Thomson
- Re: [TLS] Heartbleed / protocol complexity Nico Williams
- Re: [TLS] Heartbleed / protocol complexity Salz, Rich
- Re: [TLS] Heartbleed / protocol complexity Geoffrey Keating
- Re: [TLS] Heartbleed / protocol complexity Nico Williams
- Re: [TLS] Heartbleed / protocol complexity Nico Williams
- Re: [TLS] Heartbleed / protocol complexity Salz, Rich
- Re: [TLS] Heartbleed / protocol complexity Watson Ladd
- Re: [TLS] Heartbleed / protocol complexity Manger, James
- Re: [TLS] Heartbleed / protocol complexity Nikos Mavrogiannopoulos
- Re: [TLS] Heartbleed / protocol complexity Hannes Tschofenig
- Re: [TLS] Heartbleed / protocol complexity Dan Brown
- Re: [TLS] Heartbleed / protocol complexity Watson Ladd
- Re: [TLS] Heartbleed / protocol complexity Hanno Böck
- Re: [TLS] Heartbleed / protocol complexity Martin Rex
- Re: [TLS] Heartbleed / protocol complexity Nico Williams
- Re: [TLS] Heartbleed / protocol complexity Patrick Pelletier
- Re: [TLS] Heartbleed / protocol complexity Bill Frantz