IETF Logo Mail Archive

Re: [TLS] The risk of misconfiguration

Watson Ladd <watsonbladd@gmail.com> Thu, 08 May 2014 00:58 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A40B41A0425 for <tls@ietfa.amsl.com>; Wed, 7 May 2014 17:58:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9JNleFD7GroX for <tls@ietfa.amsl.com>; Wed, 7 May 2014 17:58:47 -0700 (PDT)
Received: from mail-yk0-x230.google.com (mail-yk0-x230.google.com [IPv6:2607:f8b0:4002:c07::230]) by ietfa.amsl.com (Postfix) with ESMTP id 7C9231A0069 for <tls@ietf.org>; Wed, 7 May 2014 17:58:47 -0700 (PDT)
Received: by mail-yk0-f176.google.com with SMTP id q9so1567162ykb.35 for <tls@ietf.org>; Wed, 07 May 2014 17:58:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=0BIT6fndOk+lL9nV6LZQKk9Bl62FwjNCaIlBNqiNh7A=; b=UH6YLJV5Xnllz4et1zTGKAD40Bcg59JlJLTWldTGvAC8qFR2lcUAe9RvuyUc0samhd ZvoJatCBAViFT2Tb1h6VvnWQIR7iImhmPT4kc5hkX/dND4YOQ64/TtPqD5ludcOTFRQ5 BAwdUmkuaI0My0Mursoy87aMcFd7tadBTJm32wOuQTyVvpXrY/FUHcyI7pK9lERCLTIQ 5Ib7CIEC59F7eqA9KzO72aZFfbNZ+MBNNhJoqzkxs+Mm6Rxqrr+Q9emOKda4nNSSHYxh oKW/9SMyXq0mqHKg2DMI3WHZROMlw5+uGsBMmcsaaVeT27djUUTw4p+ZWXj1ek4IMQKy GDCA==
MIME-Version: 1.0
X-Received: by 10.236.139.70 with SMTP id b46mr451676yhj.63.1399510723120; Wed, 07 May 2014 17:58:43 -0700 (PDT)
Received: by 10.170.63.197 with HTTP; Wed, 7 May 2014 17:58:43 -0700 (PDT)
In-Reply-To: <20140508001532.GG27883@mournblade.imrryr.org>
References: <2A0EFB9C05D0164E98F19BB0AF3708C7130A13E3A2@USMBX1.msg.corp.akamai.com> <536A8804.8000207@akr.io> <CAK3OfOgVAg8MLSmRVLe-6vVVzX361xYo4uma3-GQQmn=qoWWbQ@mail.gmail.com> <CACsn0ckrnbQbz-KCEY6u-WU7ULPTQv46g3noz44jMjW5HmFU0g@mail.gmail.com> <CAK3OfOiSKkeknHMwS-a90rR4hF9J9HaNn_XL_b75Mrx3o_wVMQ@mail.gmail.com> <CACsn0cksBt3Mj587cG-U5O5=Kc2p5T1NCP_-LrMRBv1V2hR2wQ@mail.gmail.com> <CAK3OfOibPMSriPsgO286PEZ=N+sdnuDpPyJ_xDr9KdATA_QjLQ@mail.gmail.com> <CACsn0cmB3TQVzsCthYCuY1q-z10wPbmat32Ys9ABT361fYNZLQ@mail.gmail.com> <CAK3OfOgan_JvsuwGNgpzk4tUfoo+JhxbNaHkbZCtAs7DHufr-w@mail.gmail.com> <CACsn0cmeq66S8LS38FmooWpOf534Gda5t09Ro1F3anLb-fJMMQ@mail.gmail.com> <20140508001532.GG27883@mournblade.imrryr.org>
Date: Wed, 07 May 2014 17:58:43 -0700
Message-ID: <CACsn0ck4mq3LnUwmBwBTgtuA+tHW9_FLHi1zdkz-ApkmtZs7eg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/aA9iWFHYMaSfBclu1ngTGkm_X24
Subject: Re: [TLS] The risk of misconfiguration
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 May 2014 00:58:49 -0000

On May 7, 2014 5:15 PM, "Viktor Dukhovni" <viktor1dane@dukhovni.org> wrote:
>
> On Wed, May 07, 2014 at 04:48:02PM -0700, Watson Ladd wrote:
>
> > I think the null encryption cipher should definitely stay out: the
> > only use I've heard of is extremely niche, namely large datasets with
> > slow CPUs on both ends.
>
> Any bulk transfer application that wants to work at wire rates to
> move already encrypted data with authentication of the endpoints.
>
> The solution to avoid accidental use of NULL ciphers is in the
> client API, no client HELLO should ever include a mixture of NULL
> and non-NULL ciphers-suites.

Why not make that a MUST in the RFC, and the same for anonymous DH? I
think this solves most of the configuration issues without making any
uses impossible.

To those who haven't been following along that means the following:
1: Your ciphersuite list can have either authenticated or
unauthenticated ciphers, but cannot have both.
2: It can have null encryption or use encryption, but not both.
3: If you try to break the above rules, the remote side (assuming it
is compliant) bails out.

I can live with that: it makes accidental misconfiguration cause
everything to stop working, thus preventing a quiet misconfiguration
incident.
>
> The "let's remove everything that I personally don't use" crusade
> seems rather heavy-handed.  Successful general-purpose protocols
> have more knobs than niche protocols.  That's the cost of success.

Maybe if TLS wasn't "successful" we wouldn't have had the terrible
track record on security, because it would be simple enough to
understand and see the problems. That's vastly preferable to having
problems that will continue to bite us for years because broken
versions of the protocol were widely deployed.

Sincerely,
Watson Ladd
>
> --
>         Viktor.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email