Re: [TLS] Heartbleed / protocol complexity
Nico Williams <nico@cryptonector.com> Wed, 09 April 2014 23:13 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC9AC1A03E7 for <tls@ietfa.amsl.com>; Wed, 9 Apr 2014 16:13:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.356
X-Spam-Level:
X-Spam-Status: No, score=0.356 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 11jkfUGlHb5I for <tls@ietfa.amsl.com>; Wed, 9 Apr 2014 16:13:18 -0700 (PDT)
Received: from homiemail-a110.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 481FC1A02D9 for <tls@ietf.org>; Wed, 9 Apr 2014 16:13:18 -0700 (PDT)
Received: from homiemail-a110.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTP id DB4722005D908 for <tls@ietf.org>; Wed, 9 Apr 2014 16:13:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type; s=cryptonector.com; bh=P2iSNNa/K3YmiinOP50v DPJeMXg=; b=skPJLrRavLCiQcpJMTffNFaH8Mz0MOUhKCqvXxs0yeYClbSr2K9E q285I1UvDYUu8NFK0HBSAx4RW3gxjMigJolvVKvbgWKZN8mkmR9hw0WcrR0ZYSKA m0JYluDlzikqY6Rycva+5vIEgzFljglYx+WkEyPfOq/g2RBEX+75IE4=
Received: from mail-wg0-f43.google.com (mail-wg0-f43.google.com [74.125.82.43]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTPSA id 900B02005D907 for <tls@ietf.org>; Wed, 9 Apr 2014 16:13:17 -0700 (PDT)
Received: by mail-wg0-f43.google.com with SMTP id x13so3154965wgg.2 for <tls@ietf.org>; Wed, 09 Apr 2014 16:13:16 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.194.63.46 with SMTP id d14mr11984644wjs.24.1397085196465; Wed, 09 Apr 2014 16:13:16 -0700 (PDT)
Received: by 10.217.129.197 with HTTP; Wed, 9 Apr 2014 16:13:16 -0700 (PDT)
In-Reply-To: <m2k3ayxgy0.fsf@localhost.localdomain>
References: <20140409232505.0d6e02b8@hboeck.de> <m2k3ayxgy0.fsf@localhost.localdomain>
Date: Wed, 09 Apr 2014 18:13:16 -0500
Message-ID: <CAK3OfOgRhv66EZiXrkEtMchMxPY8nP=a1Mz4sQJG0pJo_zc8=A@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Geoffrey Keating <geoffk@geoffk.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/npB872B1cI1RwPVGF9O7R-aVwss
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Heartbleed / protocol complexity
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Apr 2014 23:13:21 -0000
On Wed, Apr 9, 2014 at 5:43 PM, Geoffrey Keating <geoffk@geoffk.org> wrote: > I can add a few more examples: compression and client-initiated > renegotiation are two things that were optional to implement, and > that some implementations didn't implement and were saved security > vulnerabilities by not doing so. I agree as to compression: we know well now that compression decisions must not be done at any layer other than that which knows if it's safe to do it, and that layer is never TLS. (This doesn't mean that the app couldn't request that some TLS records be compressed while others not, but that would be needless complexity.) I don't agree as to client-initiated renegotiation. The problem there is that the semantics of renegotiation were not well specified early on, so the APIs that got built too easily ended up failing to be capable of doing the necessary channel binding, so the channel binding didn't get built. (Causality actually went the other way here, I know, but in so far as running code was the source of specification...) > I think perhaps the lesson to learn from this is that implementations > should probably not aim to be 'complete' or 'full-featured' TLS > implementations, but rather only implement what is needed for their > target audience; and if they do implement features that only some users > will need, disable them by default. If you said that apps should get to specify which TLS features they need I'd agree. Non-implementation with no choice in the matter simply leads to non-deployment of important features. There's no need to throw out the baby with the bathwater. Nico --
- [TLS] Heartbleed / protocol complexity Hanno Böck
- Re: [TLS] Heartbleed / protocol complexity Martin Thomson
- Re: [TLS] Heartbleed / protocol complexity Nico Williams
- Re: [TLS] Heartbleed / protocol complexity Salz, Rich
- Re: [TLS] Heartbleed / protocol complexity Geoffrey Keating
- Re: [TLS] Heartbleed / protocol complexity Nico Williams
- Re: [TLS] Heartbleed / protocol complexity Nico Williams
- Re: [TLS] Heartbleed / protocol complexity Salz, Rich
- Re: [TLS] Heartbleed / protocol complexity Watson Ladd
- Re: [TLS] Heartbleed / protocol complexity Manger, James
- Re: [TLS] Heartbleed / protocol complexity Nikos Mavrogiannopoulos
- Re: [TLS] Heartbleed / protocol complexity Hannes Tschofenig
- Re: [TLS] Heartbleed / protocol complexity Dan Brown
- Re: [TLS] Heartbleed / protocol complexity Watson Ladd
- Re: [TLS] Heartbleed / protocol complexity Hanno Böck
- Re: [TLS] Heartbleed / protocol complexity Martin Rex
- Re: [TLS] Heartbleed / protocol complexity Nico Williams
- Re: [TLS] Heartbleed / protocol complexity Patrick Pelletier
- Re: [TLS] Heartbleed / protocol complexity Bill Frantz