Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)

[Nicolas Williams <Nicolas.Williams@oracle.com>]

On Thu, Nov 11, 2010 at 12:17:22PM -0600, Marsh Ray wrote:
> On 11/11/2010 10:41 AM, t.petch wrote:
> >
> >To return to (what I see as) the main purpose of the thread, I too
> >think that StartTLS is a good, if not an excellent idea; I see no
> >difference in the vulnerabilities (although my cryptanalysis is weak).
> 
> Well, that's the thing. In theory there is no difference, in
> practice however...

FUD alert.

> Look at HTTP/HTTPS as an example. It doesn't use STARTTLS to
> negotiate an optional security upgrade. Well there is an RFC for it
> but I've never heard of anyone using it, if that functionality is
> latent, no one is depending on it.

You're not explaining why no one uses HTTP StartTLS.  I assure you that
people use LDAP with StartTLS.  The specific reasons that led to one
being used and the other not are likely to be of interest, though I
can't say I have much insight into either.

> The first thing users learn about web security is to put the 's' on
> the end of HTTPS.

I think HTTP is a bit special.  HTTP/1.0 has resulted in a very high
number of round-trips to GET anything.  That Sucks.  More round-trips
(for StartTLS) would just suck more.  If HTTP/1.0 had had pipelining
from the get-go then the situation would be different, and then we could
say that HTTP + StartTLS is a fair thing to do when given an HTTPS URL.

> On the other hand, my email program gives me an option to use
> "STARTTLS". Even after I took packet captures of the connection
> process and observed it correctly negotiating the use of encryption,
> I still cannot tell if my email is vulnerable to a downgrade attack.

Without tracing every program you can't tell if the program is lying to
you about anything, anything at all.  Your program could be trojaned and
might be sharing your secret credentials with the bad guys.

Nico
--