Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)

Marsh Ray <marsh@extendedsubset.com> Tue, 09 November 2010 17:50 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D94443A6A26; Tue, 9 Nov 2010 09:50:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[AWL=-0.100, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1KcFdg9Qi528; Tue, 9 Nov 2010 09:50:56 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 342613A69E2; Tue, 9 Nov 2010 09:50:56 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1PFsLo-0003d1-6A; Tue, 09 Nov 2010 17:51:20 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 9B9EA6019; Tue, 9 Nov 2010 17:51:18 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX193XYb3JwpGA3cE6sna/b53ICa861Y0fME=
Message-ID: <4CD98A16.4070004@extendedsubset.com>
Date: Tue, 09 Nov 2010 11:51:18 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.15) Gecko/20101027 Thunderbird/3.0.10
MIME-Version: 1.0
To: Nicolas Williams <Nicolas.Williams@oracle.com>
Subject: Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)
References: <E1PFKZ3-0002jp-Bu@login01.fos.auckland.ac.nz> <p06240843c8fd6c508084@[130.129.55.1]> <4CD83312.5060000@extendedsubset.com> <20101108202407.GO6536@oracle.com> <4CD86FC4.4070308@extendedsubset.com> <20101108221016.GT6536@oracle.com> <4CD8A811.1080801@extendedsubset.com> <20101109035040.GA6536@oracle.com>
In-Reply-To: <20101109035040.GA6536@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Fri, 12 Nov 2010 08:06:55 -0800
Cc: tls@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>, tsvwg@ietf.org
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2010 17:50:58 -0000

On 11/08/2010 09:50 PM, Nicolas Williams wrote:
> On Mon, Nov 08, 2010 at 07:46:57PM -0600, Marsh Ray wrote:
>>
>> On 11/08/2010 04:10 PM, Nicolas Williams wrote:
>>>
>>> It's not always the case that you have a trust path to a
>>> server,
>>
>> Why not? Or, rather, isn't that a reasonable prerequisite for security?
>
> Because not every pair of communicating systems do so as part of a
> corporate network with well-staffed IT departments complete with PKIs,
> bridge PKIs, Kerberos, and other trust path mechanisms, with all hosts
> pre-registered, and so on.

Quite often, those are the places that have hardest time getting systems 
to interop.

> Usability is part of the security equation.  If secure applications are
> unusable, don't be surprised when users don't use them.

+1 that's absolutely true in reality.

However, doesn't there need to be

> SSH has been so successful in large part because leap-of-faith works
> rather well -- it has a very small window of vulnerability, a very big
> vulnerability, yes, and requiring persistent storage, true, but
> difficult to exploit without users eventually noticing.

I know I read a study somewhere of what users (a university setting I 
think) typically did when presented with the "WARNING: REMOTE HOST 
IDENTIFICATION HAS CHANGED!...Are you sure you want to continue 
connecting (yes/no)?" question. I think the results were pretty dismal.

>> In that sense, egress rules on client-based firewalls could be as
>> important as the inbound connections on the server side.
>
> So what you're proposing is that we require TLS on all the time, via raw
> TLS ports?

Not really, although it wouldn't be a bad idea to migrate in that 
direction. I'm more trying to ask a philosophical question.

We know that the properties we expect of the "secure communications" we 
discuss in in this WG depend on authentication or authenticated 
encryption. Authentication is thus something of a prerequisite for the 
security, unless we have justification to rule out the possibility of an 
active attacker. Although there are many scenarios in practice where 
active attacks are more difficult, any general-purpose protocol will 
have to resist them effectively.

So, except in cases where explictly unauthenticated endpoints are 
involved, isn't it reasonable that for WG discussions to presume that a 
security protocol will be building upon some form of trust framework?

Or is there a new world happening where we're retreating from that 
principle and we now expect systems to somehow bootstrap their own 
security out-of-the-box or not get used at all?

- Marsh