IETF Logo Mail Archive

Re: [TLS] Security concerns around co-locating TLS and

Martin Rex <mrex@sap.com> Tue, 09 November 2010 21:50 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 283D03A6935 for <tls@core3.amsl.com>; Tue, 9 Nov 2010 13:50:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.874
X-Spam-Level:
X-Spam-Status: No, score=-9.874 tagged_above=-999 required=5 tests=[AWL=-0.225, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OAyLw7mrmbOo for <tls@core3.amsl.com>; Tue, 9 Nov 2010 13:50:56 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id C80203A68CF for <tls@ietf.org>; Tue, 9 Nov 2010 13:50:55 -0800 (PST)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id oA9LpB3I029765 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 9 Nov 2010 22:51:12 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201011092151.oA9LpAaf001836@fs4113.wdf.sap.corp>
To: ynir@checkpoint.com
Date: Tue, 09 Nov 2010 22:51:10 +0100
In-Reply-To: <AD321D07-735D-4607-BEC7-2BF1CB77D12B@checkpoint.com> from "Yoav Nir" at Nov 9, 10 10:29:46 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Security concerns around co-locating TLS and
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2010 21:50:57 -0000

Yoav Nir wrote:
> 
> On Nov 9, 2010, at 6:28 PM, t.petch wrote:
> > 
> > I recently was involved in syslog over TLS and the RFC there
> > explicitly calls it out.  Diagnostic messages are good for
> > diagnosing problems and so should be sent in the clear unless
> > there is a reason to do otherwise (eg relating to security
> > breaches, password misuse etc) and this is a general truth
> > in operations (SNMP etc).  Yes, I must have integrity, but
> > privacy can be a real pain, stopping the determination of problems.
> 
> Nobody is forcing privacy down your throat. Just as IPsec has
> AH and ESP-NULL, TLS has TLS_RSA_WITH_NULL_SHA256 and
> TLS_ECDHE_ECDSA_WITH_NULL_SHA among others.

There is much more DoS-potential in the server endpoint identification.

If you _can_ prevent syslog entries from being written by messing with
OCSP requests of the client that wants to submit syslog entries,
then you have a vulnerability -- as would be any kind of insistence of
involvement of third parties for a TLS-enabled syslog client.


The popularity of TLS is not that it is good, efficient or secure.
The primary motivator is that implementations are available and
it allows everyone to continue using weak passwords to authenticate
end users (and noone really cares about authenticating servers,
never did).


-Martin

v2.23.0 | Report a Bug | By Email