Re: [TLS] Security concerns around co-locating TLS and non-secure, on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)

=JeffH <Jeff.Hodges@KingsMountain.com> Thu, 18 November 2010 17:59 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A74C93A68A7 for <tsvwg@core3.amsl.com>; Thu, 18 Nov 2010 09:59:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.828
X-Spam-Level:
X-Spam-Status: No, score=-101.828 tagged_above=-999 required=5 tests=[AWL=0.438, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UKbrVmiIcshk for <tsvwg@core3.amsl.com>; Thu, 18 Nov 2010 09:59:30 -0800 (PST)
Received: from cpoproxy3-pub.bluehost.com (cpoproxy3-pub.bluehost.com [67.222.54.6]) by core3.amsl.com (Postfix) with SMTP id ABB863A68A8 for <tsvwg@ietf.org>; Thu, 18 Nov 2010 09:59:30 -0800 (PST)
Received: (qmail 5160 invoked by uid 0); 18 Nov 2010 18:00:18 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy3.bluehost.com with SMTP; 18 Nov 2010 18:00:18 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kingsmountain.com; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type:Content-Transfer-Encoding:X-Identified-User; b=bSTGcPglQwH9bcPrRszZESkCM74dVZpsshp4tVHzOnA84J3yZwViG5vrfrxfBXwcd3I6RJtX+P/zn/7v00xwX19VuHK8yfOBRBLuxi7Slq24mam5vgZ5uik5LVzMpsef;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.136.47]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1PJ8mN-0001BL-KJ; Thu, 18 Nov 2010 11:00:15 -0700
Message-ID: <4CE569AD.6090402@KingsMountain.com>
Date: Thu, 18 Nov 2010 10:00:13 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Thunderbird 2.0.0.24 (X11/20101027)
MIME-Version: 1.0
To: tsvwg@ietf.org, tls@ietf.org
Subject: Re: [TLS] Security concerns around co-locating TLS and non-secure, on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
X-Mailman-Approved-At: Sat, 20 Nov 2010 06:03:14 -0800
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Nov 2010 17:59:31 -0000

Nico stated..
 >
 > I assure you that people use LDAP with StartTLS.

this indeed seems to be the case..


Subject: Re: [ldap] statistics wrt StartTLS vs. dedicated TLS port  usage?
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Thu, 18 Nov 2010 11:32:55 +0100
To: =JeffH <Jeff.Hodges@KingsMountain.com>
Cc: LDAP Discussion List <ldap@umich.edu>

=JeffH writes:
  > I'm curious as to whether anyone has any statistics with resprect to
  > deployed in-the-wild use of StartTLS (e.g. on port 389) vs. use of a
  > dedicated TLS port (e.g. port 636) ?

20 minutes of our main servers' loglevel 256:
     22221 StartTLS from 423 different IP addresses
      1170 ldaps:// from  46 different IP addresses

5 days' log at another server we run has 125278 ldaps:// from 21 IP
addresses, but no StartTLS.

-- 
Hallvard


--


Subject: Re: [ldap] statistics wrt StartTLS vs. dedicated TLS port  usage?
From: Steve Thompson <smt@vgersoft.com>
Date: Thu, 18 Nov 2010 05:45:33 -0500 (EST) (02:45 PST)
To: =JeffH <Jeff.Hodges@KingsMountain.com>
Cc: LDAP Discussion List <ldap@umich.edu>

On Wed, 17 Nov 2010, =JeffH wrote:

  > I'm curious as to whether anyone has any statistics with resprect to deployed
  > in-the-wild use of StartTLS (e.g. on port 389) vs. use of a dedicated TLS
  > port (e.g. port 636) ?

My LDAP load balancer shows:

   	StartTLS on 389:	997696 connections
   	ldaps on 636:		 32620 connections

This is a total over about three weeks or so.

-Steve