IETF Logo Mail Archive

Re: [TLS] Heartbleed / protocol complexity

Nico Williams <nico@cryptonector.com> Wed, 09 April 2014 23:13 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC9AC1A03E7 for <tls@ietfa.amsl.com>; Wed, 9 Apr 2014 16:13:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.356
X-Spam-Level:
X-Spam-Status: No, score=0.356 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11jkfUGlHb5I for <tls@ietfa.amsl.com>; Wed, 9 Apr 2014 16:13:18 -0700 (PDT)
Received: from homiemail-a110.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 481FC1A02D9 for <tls@ietf.org>; Wed, 9 Apr 2014 16:13:18 -0700 (PDT)
Received: from homiemail-a110.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTP id DB4722005D908 for <tls@ietf.org>; Wed, 9 Apr 2014 16:13:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=P2iSNNa/K3YmiinOP50v DPJeMXg=; b=skPJLrRavLCiQcpJMTffNFaH8Mz0MOUhKCqvXxs0yeYClbSr2K9E q285I1UvDYUu8NFK0HBSAx4RW3gxjMigJolvVKvbgWKZN8mkmR9hw0WcrR0ZYSKA m0JYluDlzikqY6Rycva+5vIEgzFljglYx+WkEyPfOq/g2RBEX+75IE4=
Received: from mail-wg0-f43.google.com (mail-wg0-f43.google.com [74.125.82.43]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTPSA id 900B02005D907 for <tls@ietf.org>; Wed, 9 Apr 2014 16:13:17 -0700 (PDT)
Received: by mail-wg0-f43.google.com with SMTP id x13so3154965wgg.2 for <tls@ietf.org>; Wed, 09 Apr 2014 16:13:16 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.194.63.46 with SMTP id d14mr11984644wjs.24.1397085196465; Wed, 09 Apr 2014 16:13:16 -0700 (PDT)
Received: by 10.217.129.197 with HTTP; Wed, 9 Apr 2014 16:13:16 -0700 (PDT)
In-Reply-To: <m2k3ayxgy0.fsf@localhost.localdomain>
References: <20140409232505.0d6e02b8@hboeck.de> <m2k3ayxgy0.fsf@localhost.localdomain>
Date: Wed, 09 Apr 2014 18:13:16 -0500
Message-ID: <CAK3OfOgRhv66EZiXrkEtMchMxPY8nP=a1Mz4sQJG0pJo_zc8=A@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Geoffrey Keating <geoffk@geoffk.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/npB872B1cI1RwPVGF9O7R-aVwss
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Heartbleed / protocol complexity
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Apr 2014 23:13:21 -0000

On Wed, Apr 9, 2014 at 5:43 PM, Geoffrey Keating <geoffk@geoffk.org> wrote:
> I can add a few more examples: compression and client-initiated
> renegotiation are two things that were optional to implement, and
> that some implementations didn't implement and were saved security
> vulnerabilities by not doing so.

I agree as to compression: we know well now that compression decisions
must not be done at any layer other than that which knows if it's safe
to do it, and that layer is never TLS.  (This doesn't mean that the
app couldn't request that some TLS records be compressed while others
not, but that would be needless complexity.)

I don't agree as to client-initiated renegotiation.  The problem there
is that the semantics of renegotiation were not well specified early
on, so the APIs that got built too easily ended up failing to be
capable of doing the necessary channel binding, so the channel binding
didn't get built.  (Causality actually went the other way here, I
know, but in so far as running code was the source of
specification...)

> I think perhaps the lesson to learn from this is that implementations
> should probably not aim to be 'complete' or 'full-featured' TLS
> implementations, but rather only implement what is needed for their
> target audience; and if they do implement features that only some users
> will need, disable them by default.

If you said that apps should get to specify which TLS features they
need I'd agree.  Non-implementation with no choice in the matter
simply leads to non-deployment of important features.  There's no need
to throw out the baby with the bathwater.

Nico
--

v2.23.0 | Report a Bug | By Email