IETF Logo Mail Archive

Re: [TLS] TLS, PKI,

Marsh Ray <marsh@extendedsubset.com> Wed, 14 July 2010 17:59 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6985A3A696D for <tls@core3.amsl.com>; Wed, 14 Jul 2010 10:59:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.756
X-Spam-Level:
X-Spam-Status: No, score=-0.756 tagged_above=-999 required=5 tests=[AWL=-0.616, BAYES_20=-0.74, J_CHICKENPOX_41=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pkEJcdVeRaBE for <tls@core3.amsl.com>; Wed, 14 Jul 2010 10:59:38 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 5FF2C3A6AB8 for <tls@ietf.org>; Wed, 14 Jul 2010 10:59:38 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OZ5px-0003Wh-Bh; Wed, 14 Jul 2010 17:33:37 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 682E66337; Wed, 14 Jul 2010 17:33:31 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX19rhUjVgdip/021rBTpiKLInBl1HgWoalc=
Message-ID: <4C3DF4EA.3030001@extendedsubset.com>
Date: Wed, 14 Jul 2010 12:33:30 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.10) Gecko/20100527 Thunderbird/3.0.5
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <E1OZ1UV-0002me-VD@wintermute02.cs.auckland.ac.nz>
In-Reply-To: <E1OZ1UV-0002me-VD@wintermute02.cs.auckland.ac.nz>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] TLS, PKI,
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jul 2010 17:59:39 -0000

Personally, I am not a believer in using either source or dest IP 
address as a basis for authentication. DHCP, ARP, DNS, and IP routing 
can be owned all the time. For mobile WiFi devices the default 
assumption has to be that they are always operating on untrusted networks.

DNS rebinding, connection string, and other attacks let bad guys make 
connections out from your 'internal' systems. Not to mention the 
possibility that there is at least one owned PC behind your firewall.

On 07/14/2010 07:55 AM, Peter Gutmann wrote (or maybe was quoting):
>
> Another way of looking at this
> concession in the direction of practical usability is that if there.s
> an active attacker sitting inside your firewalled private subnet
> performing MITM attacks on you then you have far bigger things to
> worry about then a case of potential certificate spoofing.

Really? Most of these attackers and botnets seem to be after your online 
banking credentials (which could easily be obtained by cert spoofing 
after compromising your home router). Which is not to say you're not 
totally owned of course, but there's no reason to that cert attacks are 
inherently less important.

This common reasoning is also a bit fallacious: SSL/TLS+PKI is supposed 
to be the thing that protects you from compromises in routing and DNS so 
it's not a straightforward comparison of the severities of the two types 
of compromise. The DNS and IP guys used to think "well they have SSL, 
SSH, and IPSEC to protect against that" so no part of the design of 
those protocols can count on anything about the lower layers.

http://www.networkworld.com/news/2010/022010-chuck-norris-botnet-karate-chops-routers.html 
:
vvvvvvvvvvv
> A D-Link spokesman said he was not aware of the botnet, and the
> company did not immediately have any comment on the issue.
>
> Like an earlier router-infecting botnet called Psyb0t, Chuck Norris
> can infect an MIPS-based device running the Linux operating system if
> its administration interface has a weak username and password, he
> said. This MIPS/Linux combination is widely used in routers and DSL
> modems, but the botnet also attacks satellite TV receivers.
^^^^^^^^^^^^^^^

- Marsh

v2.23.0 | Report a Bug | By Email