Re: [TLS] datacenter TLS decryption as a three-party protocol
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 19 July 2017 22:58 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46EDD124D37 for <tls@ietfa.amsl.com>; Wed, 19 Jul 2017 15:58:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dR8qm4PhesUh for <tls@ietfa.amsl.com>; Wed, 19 Jul 2017 15:58:06 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7C281200ED for <tls@ietf.org>; Wed, 19 Jul 2017 15:58:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id DBFE0BE39; Wed, 19 Jul 2017 23:58:04 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3FsZ74U2Ygi2; Wed, 19 Jul 2017 23:58:03 +0100 (IST)
Received: from [172.28.172.2] (unknown [185.51.72.72]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 16964BE24; Wed, 19 Jul 2017 23:58:01 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1500505083; bh=P84X4GMwnML5TaoqQurccKTRbiE/EsoG+uRcHGQommk=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=dYEEnCR5zmlWPki+P1Fgpm6aq9eK//goEi9MjNapgm2K2RCWgXv2BtVPdwjmCmgUd qP6vp0rf6pDWuP03+EnSKSTfL+CKlqyWTOgNhR3QNcQsCPK4kZa5O+jevJ9h2uLKQb uRc0vVYQu+MOazcPIQQmxKbQNcdzMIjkgbSv77MY=
To: mrex@sap.com, Ted Lemon <mellon@fugue.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
References: <20170719202515.919D11A6CB@ld9781.wdf.sap.corp>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <e890aee1-5ad6-7a8a-a5d7-d5bc408966db@cs.tcd.ie>
Date: Wed, 19 Jul 2017 23:57:59 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <20170719202515.919D11A6CB@ld9781.wdf.sap.corp>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="gF2ijWeHb4BM8qJR3AvP9D6XxlfwEuEnP"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nXvSVblPEp5m5ttfEiA3jRwvZ9M>
Subject: Re: [TLS] datacenter TLS decryption as a three-party protocol
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2017 22:58:09 -0000
Just to note that Martin's mail contains specific examples and detailed argument. That should be the lowest bar that needs to be met in this discussion, not the arm-waving about "TLS as a DoS attack" or "what about grandma" nonsense that we heard today. The contrast between such non-argument and the care that has been taken, and continues to be taken, in the development of TLS1.3 is stark. S. On 19/07/17 21:25, Martin Rex wrote: > I just watched the presentation on static DH / TLS decryption in Enterprise > settings of todays TLS session > > https://youtu.be/fv1AIgRdKkY?t=4473 > > and I'm seriously appalled by the amount of cluelessness in the > Networking & IT Departments on the one hand, and by what seems like > woefully inadequate apps on the other hand. > > I've been doing middleware development and customer support of > SSL/TLS-protected communication for our company's (legacy) app > as well as maintenance & customer support for the TLS stack we're > shipping with it for the past 17 years, and I can't stop shaking > my head about the perceived problems, that *NEVER*EVER* occurred > to me, nor our IT & Hosting and neither any of our customers using our app > (and I would definitely know about it). > > Although we do ship our own TLS implementation, we don't have any APIs > to export cryptographic keys, simply because it's completely unnecessary. > > > With extremely few exceptions, an API-level trace at the endpoints > is totally sufficient for finding app-level problems, such as > unexpected "expensive" requests. App-level traces on *EITHER* side > should provide *ALL* information that is necessary to determine _which_ > particular requests are taking longer than expected. If your Apps do > not provide meaningful traces, then you have an *APPS* problem, and > should be fixing or replacing apps, rather than mess around with TLS. > > > There were a few issues with F5 loadbalancers (that were just forwarding > traffic, _not_ acting as reverse proxy) related to a borked F5 option called > "FastL4forward", which occasionally caused the F5 box to truncate TCP streams > (the box received&ACKed 5 MByte of TCP data towards the TLS Server, but > forwarded only 74 KBytes to the client before closing the connection with > a TCP FIN towards the TLS client. > > And once I saw another strange TCP-level data corruption caused by some Riverbed WAN accellerator. > > > I remember exactly _two_ occasions during that 17 years when I produced > a special instrumented version of our library for the server endpoint, > which dumped stuff into a local trace file, but I never ever thought > about exporting crypto keys (because it wouldn't help, and those > weren't _my_ keys (but those of a customer): > > (1) it dumped the decrypted RSA block from the ClientKeyExchange > handshake message when encountering a PKCS#1 BT02 padding > encoding failure > > (2) it dumped the final decrypted block of a TLS record for > when the CBC-padding-verification failed the check. > > (1) was caused by a bug in the long integer arithmetic of an F5 load balancer > which ocassionally produced bogus (un-decryptable) PreMasterSecrets > > (2) was caused by a design flaw in JavaSE 1.6 by Java's SSL when it was used with GenericBlockCipher over native-IO interfaces. > > > I firmly believe that if you have a desire to decrypt TLS-protected > traffic to debug APPS issues, then your APPS must be crap, and seriously > lack capabilities to trace/analyze endpoint behaviour at the app level. > > > With respect to "monitoring" SSL/TLS-protected traffic in the > enterprise environment: > > At least here in Germany, we're in the lucky position that wiretapping > network traffic has been made a criminal offense in 2004. If IT/Networking > folks in the enterprise settings don't want to spend up to 4 years behind > bars, they don't even try to decrypt SSL/TLS-protected traffic. > > > -Martin >
- [TLS] datacenter TLS decryption as a three-party … Benjamin Kaduk
- Re: [TLS] datacenter TLS decryption as a three-pa… Ted Lemon
- Re: [TLS] datacenter TLS decryption as a three-pa… Kyle Rose
- Re: [TLS] datacenter TLS decryption as a three-pa… Ted Lemon
- Re: [TLS] datacenter TLS decryption as a three-pa… Kyle Rose
- Re: [TLS] datacenter TLS decryption as a three-pa… Roland Zink
- Re: [TLS] datacenter TLS decryption as a three-pa… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] datacenter TLS decryption as a three-pa… Yoav Nir
- Re: [TLS] datacenter TLS decryption as a three-pa… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] datacenter TLS decryption as a three-pa… Derrell Piper
- Re: [TLS] datacenter TLS decryption as a three-pa… Stephen Farrell
- Re: [TLS] datacenter TLS decryption as a three-pa… Benjamin Kaduk
- Re: [TLS] datacenter TLS decryption as a three-pa… Stephen Farrell
- Re: [TLS] datacenter TLS decryption as a three-pa… Ted Lemon
- Re: [TLS] datacenter TLS decryption as a three-pa… Colm MacCárthaigh
- Re: [TLS] datacenter TLS decryption as a three-pa… Ted Lemon
- Re: [TLS] datacenter TLS decryption as a three-pa… Colm MacCárthaigh
- Re: [TLS] datacenter TLS decryption as a three-pa… BITS Security
- Re: [TLS] datacenter TLS decryption as a three-pa… Martin Rex
- Re: [TLS] datacenter TLS decryption as a three-pa… Martin Rex
- Re: [TLS] datacenter TLS decryption as a three-pa… Salz, Rich
- Re: [TLS] datacenter TLS decryption as a three-pa… Roland Zink
- Re: [TLS] datacenter TLS decryption as a three-pa… Stephen Farrell
- Re: [TLS] datacenter TLS decryption as a three-pa… Stephen Farrell
- Re: [TLS] datacenter TLS decryption as a three-pa… Colm MacCárthaigh
- Re: [TLS] datacenter TLS decryption as a three-pa… Tony Arcieri
- Re: [TLS] datacenter TLS decryption as a three-pa… Andrei Popov
- Re: [TLS] datacenter TLS decryption as a three-pa… Colm MacCárthaigh
- Re: [TLS] datacenter TLS decryption as a three-pa… Andrei Popov
- Re: [TLS] datacenter TLS decryption as a three-pa… Salz, Rich
- Re: [TLS] datacenter TLS decryption as a three-pa… Colm MacCárthaigh
- Re: [TLS] datacenter TLS decryption as a three-pa… Stephen Farrell
- Re: [TLS] datacenter TLS decryption as a three-pa… Colm MacCárthaigh
- Re: [TLS] datacenter TLS decryption as a three-pa… Stephen Farrell
- Re: [TLS] datacenter TLS decryption as a three-pa… Colm MacCárthaigh
- Re: [TLS] datacenter TLS decryption as a three-pa… Martin Rex
- Re: [TLS] datacenter TLS decryption as a three-pa… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] datacenter TLS decryption as a three-pa… Ilari Liusvaara
- Re: [TLS] datacenter TLS decryption as a three-pa… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] datacenter TLS decryption as a three-pa… Ilari Liusvaara
- Re: [TLS] datacenter TLS decryption as a three-pa… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] datacenter TLS decryption as a three-pa… Ted Lemon
- Re: [TLS] datacenter TLS decryption as a three-pa… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] datacenter TLS decryption as a three-pa… Stephen Farrell
- Re: [TLS] datacenter TLS decryption as a three-pa… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] datacenter TLS decryption as a three-pa… Ted Lemon
- Re: [TLS] datacenter TLS decryption as a three-pa… Christian Huitema
- Re: [TLS] datacenter TLS decryption as a three-pa… Ted Lemon
- Re: [TLS] datacenter TLS decryption as a three-pa… Jeffrey Walton
- Re: [TLS] datacenter TLS decryption as a three-pa… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] datacenter TLS decryption as a three-pa… Felix Wyss
- Re: [TLS] datacenter TLS decryption as a three-pa… Ted Lemon
- Re: [TLS] datacenter TLS decryption as a three-pa… Stephen Farrell
- Re: [TLS] datacenter TLS decryption as a three-pa… Brian Sniffen
- Re: [TLS] datacenter TLS decryption as a three-pa… Kyle Rose
- Re: [TLS] datacenter TLS decryption as a three-pa… Paul Turner
- Re: [TLS] datacenter TLS decryption as a three-pa… Brian Sniffen
- Re: [TLS] datacenter TLS decryption as a three-pa… Paul Turner
- Re: [TLS] datacenter TLS decryption as a three-pa… Kyle Rose
- Re: [TLS] datacenter TLS decryption as a three-pa… Sean Turner
- Re: [TLS] datacenter TLS decryption as a three-pa… Ilari Liusvaara