IETF Logo Mail Archive

Re: [TLS] TLS, PKI,

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 14 July 2010 12:55 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 834213A68CB for <tls@core3.amsl.com>; Wed, 14 Jul 2010 05:55:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[AWL=-0.900, BAYES_00=-2.599, J_CHICKENPOX_21=0.6, J_CHICKENPOX_31=0.6, J_CHICKENPOX_41=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B-sj3OHhTAv9 for <tls@core3.amsl.com>; Wed, 14 Jul 2010 05:55:22 -0700 (PDT)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by core3.amsl.com (Postfix) with ESMTP id 4D8133A68BB for <tls@ietf.org>; Wed, 14 Jul 2010 05:55:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1279112133; x=1310648133; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz> |To:=20Bruno.Harbulot@manchester.ac.uk,=20ynir@checkpoint .com|Subject:=20Re:=20[TLS]=20TLS,=20PKI,|Cc:=20tls@ietf. org|In-Reply-To:=20<A00ABF7A-3C17-42F3-ADA4-E22C75452540@ checkpoint.com>|Message-Id:=20<E1OZ1UV-0002me-VD@wintermu te02.cs.auckland.ac.nz>|Date:=20Thu,=2015=20Jul=202010=20 00:55:11=20+1200; bh=rBAs3SdPUz4kRrhA/hUIXfDfVWEx8nmq0u7+vVjAPU0=; b=Sm8Trybu5WsZWFWs6hDTBJ9x7TVfEC+U+mwsF5kghylE1EHB75vO+bQ7 M/kFSCecWPWRr7JHVjBhCPNDud2a8ZBfCLYzczNmRjmqVM7v5hrWX0Usj GBvE4R2EX/6m/wQoz7Gv2xlHL+66wtpGkEhuhNsiFj89uAivPb9yx+Ay9 I=;
X-IronPort-AV: E=Sophos;i="4.55,202,1278244800"; d="scan'208";a="15520764"
X-Ironport-HAT: UNIVERSITY - $RELAY-THROTTLE
X-Ironport-Source: 130.216.207.92 - Outgoing - Outgoing
Received: from wintermute02.cs.auckland.ac.nz ([130.216.207.92]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 15 Jul 2010 00:55:12 +1200
Received: from pgut001 by wintermute02.cs.auckland.ac.nz with local (Exim 4.69) (envelope-from <pgut001@cs.auckland.ac.nz>) id 1OZ1UV-0002me-VD; Thu, 15 Jul 2010 00:55:11 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Bruno.Harbulot@manchester.ac.uk, ynir@checkpoint.com
In-Reply-To: <A00ABF7A-3C17-42F3-ADA4-E22C75452540@checkpoint.com>
Message-Id: <E1OZ1UV-0002me-VD@wintermute02.cs.auckland.ac.nz>
Date: Thu, 15 Jul 2010 00:55:11 +1200
Cc: tls@ietf.org
Subject: Re: [TLS] TLS, PKI,
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jul 2010 12:55:23 -0000

Yoav Nir <ynir@checkpoint.com> writes:

>If browsers accepted private CAs for domain (after a one-time dialog), and
>self-signed certificates for a particular server only, they would get to the
>same level of usability and security as SSH clients. As it is, they're better
>if you have no way to verify the server fingerprint, and worse if you can.

In terms of securing access to local embedded devices and whatnot, there's a
relatively simple solution that'll get rid of a majority of problems in the
case of Martin's "Being able to easily network a small number of computers and
network-attached devices at home without involvement of outside third
parties":

  [...]

  Sometimes it may be possible to reach a compromise between security and
  functionality, as Microsoft did with the Windows firewall settings when they
  turned it on by default in Windows XP SP2.  Once they.d enabled it they
  found that small home networks, where some designated computer acts as a
  file and print server, were broken by having all ports on the server closed
  by default. The fix was to open the ports required for print and file
  sharing, but only for the local subnet [42].  Since home users are unlikely
  to be running computers on multiple subnets and anyone sophisticated enough
  to be doing so will presumably know what a firewall is and what to do with
  it, this protected home users from Internet-based attacks without breaking
  their existing network setup.

  [...]
  
  A far better solution though is to take advantage of the special
  circumstances in which these certificates are encountered.  If you run into
  such a duplicate certificate and it.s associated with something that has a
  non-routable IP address, or on the default gateway, or in the same subnet,
  then there.s a good chance that the certificate has been generated by a an
  embedded device rather than being some form of spoofing attack, a variation
  of the approach that Microsoft took with the Windows firewall that.s
  discussed in [text from above].  Another way of looking at this concession
  in the direction of practical usability is that if there.s an active
  attacker sitting inside your firewalled private subnet performing MITM
  attacks on you then you have far bigger things to worry about then a case of
  potential certificate spoofing.  While this adaptation won.t address every
  case of non-commercial certificate use it will transparently deal with the
  large majority of them.

Peter.

v2.23.0 | Report a Bug | By Email