IETF Logo Mail Archive

Re: [TLS] The risk of misconfiguration

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Tue, 13 May 2014 16:41 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FAE61A010C for <tls@ietfa.amsl.com>; Tue, 13 May 2014 09:41:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L8pWNrDoFgC9 for <tls@ietfa.amsl.com>; Tue, 13 May 2014 09:41:24 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id C39E71A0109 for <tls@ietf.org>; Tue, 13 May 2014 09:41:24 -0700 (PDT)
Received: from [10.70.10.127] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id C67ECF984; Tue, 13 May 2014 12:41:15 -0400 (EDT)
Message-ID: <53724B21.3030605@fifthhorseman.net>
Date: Tue, 13 May 2014 12:41:05 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.5.0
MIME-Version: 1.0
To: Alyssa Rowan <akr@akr.io>, tls@ietf.org
References: <CACsn0cnvV9c5aH5p8cD1fJEzF4dmNXBaEaHCfkX82AZqKOUYaQ@mail.gmail.com> <CAK3OfOgYr7d88iuxhXZcos55ymg0i_Q_GHNcXB+w7GRUaEj0bw@mail.gmail.com> <536A67D9.2070302@pobox.com> <CAK3OfOjTehkbKMg40_ZXGXOVjyHHY7UrxLmpyr7Mz00rRo+RLQ@mail.gmail.com> <536A6F8C.7020702@akr.io>
In-Reply-To: <536A6F8C.7020702@akr.io>
X-Enigmail-Version: 1.6+git0.20140323
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="8PASemgahmG7njHtUsoNBrxL2kQLhul2O"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/qMmkVdAWNh8911DecZXyu4KQA_8
Subject: Re: [TLS] The risk of misconfiguration
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 May 2014 16:41:26 -0000

On 05/07/2014 01:38 PM, Alyssa Rowan wrote:
> For opportunistic encryption, at least with self-signed cert usage we
> can then softly migrate from opportunistic to DANE-EE pinning - and
> indeed that is the route SMTP has already taken, as Viktor's helpfully
> highlighted.

this soft migration can happen by moving from anonymous key exchanges to
non-anonymous key exchanges when they publish their DANE-EE pin, though.

> Meanwhile aDH denies us that option, and broadcasts our MITM
> susceptibility to Mallory.

I think this is more an argument that the ciphersuite negotiation
shouldn't be in the clear than it is an argument to reject an aDHE key
exchange scheme.

I recognize that there are chicken-and-egg issues here, but it seems
possible to protect the handshake itself with a non-negotiable
mandatory-to-implement scheme that protects at least against passive
monitoring, and then allow the rest of the communication the flexibility
for algorithm agility.

With proper traffic padding, this would avoid broadcasting any
MITM-susceptibility to Mallory without Mallory actively making a
(potentially detectable) MITM attack herself.

	--dkg

v2.23.0 | Report a Bug | By Email