Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)

[Bill Frantz <frantz@pwpconsult.com>]

On 11/8/10 at 6:38 PM, marsh@extendedsubset.com (Marsh Ray) wrote:

>Marsh Ray <marsh@extendedsubset.com> writes:
>On 11/08/2010 06:58 PM, Bill Frantz wrote:
>>
>>Don't underestimate the value of protection from passive
>>eavesdropping.
>...
>>It buys you quite a bit in the mobile WiFi world,
>>where trusting the network providers is not an unreasonable level of
>>trust compared with trusting anyone who can hear your radio
>>connection.
>
>Which did you mean:
>
>Mobile, i.e. GSM and CDMA?   - varying degrees of pwned.
>
>Or "mobile" WiFi hotspots?   - pwned.

Is my home WiFi router pwned? How about the one at the airport? 
The one at the coffee shop where I know the owner? The one set 
up by the conference committee?

While any of these entry points can be pwned by exploitation of 
flaws in their implementation, I don't think the 
people/organizations that set them up have an incentive to 
install MITM attacks in them.

I think there is little incentive for the more backbone network 
providers to install MITM attacks. (But see the comment about 
three letter agencies below.)

Now I think it requires an active attack to install a MITM. Just 
being able to eavesdrop the bits won't do it. (Please tell me if 
I am wrong.)


>>As an exercise for the student: Do you trust your network provider
>>more than you trust our current version of PKI?
>
>Yeah good question.
>
>My answer is that it's meaningless to talk about "trusting" my 
>network provider, other than having expectation that they will 
>deliver my packets with high probability and low latency (and 
>bill me for it accurately). No security properties per se are 
>guaranteed by the design of the Internet. This was an 
>intentional decision on the part of its designers. There were 
>plenty of other networks back then that tried to build in all 
>sorts of properties like that, but use the net we have today 
>because it just works better this way.

My reaction is, there are no guarantees in life. Given the 
frequency of security patches in all major software, doubly so. 
However you can get a useful level of confidence by looking at 
peoples incentives.


>>My answer might depend on how the three letter agencies active where
>>my packets may flow fit into my threat model.
>
>You don't know the route your packets will take across the 
>public net. Every packet may take a different route. Really.
>
>Or alternatively, an attacker could arrange for your data to be 
>transmitted from a geosynchronous satellite over an unencrypted 
>downlink where they could be received anonymously by consumer 
>equipment anywhere on the entire continent:
>http://www.blackhat.com/presentations/bh-dc-10/Nve_Leonardo/BlackHat-DC-2010-Nve-Playing-with-SAT-1.2-wp.pdf

Unless there are nodes in the network over which my packets pass 
which are pwned, this attack does not seem possible. Once I have 
set up an encrypted session with the mail server, I don't care 
if the bits are read.


Now I fully agree that a system with authentication would be 
better than just anon-DH. However, such a system has costs as 
well, and in many practical situations you get real value from anon-DH.

My own taste would be to know when the public key of the mail 
server changed. I really can afford to store the public keys of 
all the mail servers I use. I can erase one of the 500+ megabyte 
photos I have to make room. :-)


I checked what my email provider (Earthlink) does. When I set 
SSL in my mail agent to "disabled", I can pick up mail. When I 
set it to "negotiated", the connection is quickly dropped and I 
can't pick up mail. When I set it to "Required" connection setup 
hangs. YMMV.

Cheers - Bill

---------------------------------------------------------------------------
Bill Frantz        |"Web security is like medicine - trying to 
do good for
408-356-8506       |an evolved body of kludges" - Mark Miller
www.periwinkle.com |