IETF Logo Mail Archive

Re: [TLS] TLS and middleboxes again

Yoav Nir <ynir@checkpoint.com> Fri, 26 August 2011 20:19 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1F7D21F8C7B for <tls@ietfa.amsl.com>; Fri, 26 Aug 2011 13:19:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.209
X-Spam-Level:
X-Spam-Status: No, score=-10.209 tagged_above=-999 required=5 tests=[AWL=0.090, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cgSN20UmMkOu for <tls@ietfa.amsl.com>; Fri, 26 Aug 2011 13:19:39 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id E7B5E21F8B5F for <tls@ietf.org>; Fri, 26 Aug 2011 13:19:38 -0700 (PDT)
X-CheckPoint: {4E580D76-3-1B221DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id p7QKKr8H029816; Fri, 26 Aug 2011 23:20:54 +0300
Received: from il-ex03.ad.checkpoint.com (194.29.34.71) by il-ex01.ad.checkpoint.com (194.29.34.26) with Microsoft SMTP Server (TLS) id 8.2.255.0; Fri, 26 Aug 2011 23:20:54 +0300
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex03.ad.checkpoint.com ([194.29.34.71]) with mapi; Fri, 26 Aug 2011 23:20:53 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Juho Vähä-Herttua <juhovh@iki.fi>
Date: Fri, 26 Aug 2011 23:20:51 +0300
Thread-Topic: [TLS] TLS and middleboxes again
Thread-Index: AcxkLadSw2sGw1QVQCqFMMaUutwe4w==
Message-ID: <26DC6964-8FEE-469B-8F51-68241C4A3320@checkpoint.com>
References: <mailman.83.1314298812.6863.tls@ietf.org> <4E5764A6.8080701@gmail.com> <4E577B25.3040302@iki.fi>
In-Reply-To: <4E577B25.3040302@iki.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS and middleboxes again
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Aug 2011 20:19:40 -0000

On Aug 26, 2011, at 1:53 PM, Juho Vähä-Herttua wrote:

> 26.8.2011 12:17, Yaron Sheffer kirjoitti:
>> I support this proposal. I think it is a lot more generic than the 
>> previous one, since it also supports mutual authentication (TLS-SRP) 
>> and client certs.
> 
> I support it as well,

This is meant as a straw man proposal. I still think that an actual proxy is better.

>> A few comments:
>> - On top of the encryption keys, we probably need to support sending 
>> the MAC keys. Subject to client and server policy of course.
> 
> I have no reason to support sending the MAC keys, and letting the proxy 
> to modify the actual contents of the connection sounds a bit scary to 
> me... What's the actual use case for this?

An attacker sends your gmail (or hotmail, of iCloud) account a document containing malicious macros. You click the document link within the website to download it. The middlebox detects the malware. Without MAC keys, it can only break the connection, which looks weird - like the download has failed. With MAC keys, it can redirect to a page that says "The file you tried to download contains the XXXXX virus", or it can even let you download a document that says that.

> 
>> - IMHO the following sentence is miguided, and opens a major security 
>> loophole: "If a KeyShareInfo record is received with an unknown 
>> certificate, [...] the user MAY be prompted to authorize the 
>> decryption, and optionally change the configuration to allow future 
>> decryption by this certificate." Users will always say Yes when 
>> otherwise their communication will be interrupted. In other words, the 
>> proxy certificates must only be provisioned off-line, in advance, when 
>> the user can still make reasoned decisions. [As an example of this 
>> user behavior, I just approved myself the IETF's own expired 
>> certificate...]
> 
> I'm not sure if KeyShareInfo with an unknown certificate should ever be 
> allowed... Configuring it as authorized might be even worse idea. Thank 
> you for the draft anyway, I think if implemented widely it would be a 
> better option than the proxy certificate currently used, because it's 
> much better to be able to only share the decryption keys without the MAC 
> keys.

I agree that configuration is a difficult issue, but I don't see how we can take the user out of the loop. I don't want to allow Starbucks to decrypt my TLS traffic, but I will probably accept this from my employer. These days we have a lot of unmanaged hardware at companies (a lot of Macs, and almost all cell-phones) and even more unmanaged browsers.

v2.23.0 | Report a Bug | By Email