IETF Logo Mail Archive

Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)

Marsh Ray <marsh@extendedsubset.com> Mon, 08 November 2010 21:59 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8E67E3A69A8; Mon, 8 Nov 2010 13:59:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pn2Cedq-iiLO; Mon, 8 Nov 2010 13:59:13 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id AF2F73A68AF; Mon, 8 Nov 2010 13:59:13 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1PFZkV-0009aR-PZ; Mon, 08 Nov 2010 21:59:35 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 9FEA96019; Mon, 8 Nov 2010 21:59:33 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18ZrfacO4Ti/p138Jap82ORsp9H8sUkpOI=
Message-ID: <4CD872C5.2010007@extendedsubset.com>
Date: Mon, 08 Nov 2010 15:59:33 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.15) Gecko/20101027 Thunderbird/3.0.10
MIME-Version: 1.0
To: Nicolas Williams <Nicolas.Williams@oracle.com>
Subject: Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)
References: <E1PFKZ3-0002jp-Bu@login01.fos.auckland.ac.nz> <p06240843c8fd6c508084@[130.129.55.1]> <20101108201218.GN6536@oracle.com>
In-Reply-To: <20101108201218.GN6536@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Tue, 09 Nov 2010 00:05:46 -0800
Cc: tls@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>, tsvwg@ietf.org
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2010 21:59:14 -0000

On 11/08/2010 02:12 PM, Nicolas Williams wrote:
> On Mon, Nov 08, 2010 at 05:07:42PM +0800, Paul Hoffman wrote:
>
>> "be complexer to implement than using two ports": See the state
>> machine described in section 4 and its subsections in RFC 3207. That's
>> much more complex than "OK, let's go".
>
> This is true.  Specifically it complicates the task of making the
> security layer transparent to the application.  But really, not _that_
> much.

Does it have implications for session resumption I wonder?

Not so much for the protocol itself, but for what you get with the 
straightforward use of a normal TLS library.

For example, if a developer let the TLS library handle the socket 
connections it seems like it could be smart enough to support 
resumption, but a STARTTLS-based protocol would seem to prevent this. In 
cases where the app code is just passing buffers to the TLS library, the 
TLS stack may not even know the hostname at the time of the Hello 
message exchange.

It's probably not a big deal for most mail protocols, but it might make 
a perceptible difference for a user of IMAP.

- Marsh

v2.23.0 | Report a Bug | By Email