Re: [TLS] Security concerns around co-locating TLS and non-secure

Martin Rex <mrex@sap.com> Thu, 11 November 2010 19:52 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 049FA3A68C3; Thu, 11 Nov 2010 11:52:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.853
X-Spam-Level:
X-Spam-Status: No, score=-9.853 tagged_above=-999 required=5 tests=[AWL=-0.204, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z+qNHdtVx9jO; Thu, 11 Nov 2010 11:52:04 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by core3.amsl.com (Postfix) with ESMTP id C9C213A68DA; Thu, 11 Nov 2010 11:52:03 -0800 (PST)
Received: from mail.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id oABJqV6w006443 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 11 Nov 2010 20:52:31 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <201011111952.oABJqTwh008761@fs4113.wdf.sap.corp>
Subject: Re: [TLS] Security concerns around co-locating TLS and non-secure
To: marsh@extendedsubset.com (Marsh Ray)
Date: Thu, 11 Nov 2010 20:52:29 +0100 (MET)
In-Reply-To: <4CDC3332.7060402@extendedsubset.com> from "Marsh Ray" at Nov 11, 10 12:17:22 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal08
X-SAP: out
X-Mailman-Approved-At: Fri, 12 Nov 2010 08:06:55 -0800
Cc: tls@ietf.org, tsvwg@ietf.org, paul.hoffman@vpnc.org
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Nov 2010 19:52:06 -0000

Marsh Ray wrote:
> 
> On 11/11/2010 10:41 AM, t.petch wrote:
> >
> > To return to (what I see as) the main purpose of the thread, I too
> > think that StartTLS is a good, if not an excellent idea; I see no
> > difference in the vulnerabilities (although my cryptanalysis is weak).
> 
> Well, that's the thing. In theory there is no difference, in practice 
> however...

The good thing about STARTTLS is that you can distinguish and
seperately analyze network connectivity from protocol interop issues.

For "upgrading/enhancing" an existing usage scenario in an installed
base, where connectivity is a solved problem, it offers
a smoother upgrade.

Distinguishing network connectivity issues from protocol interop
issues can be a royal PITA if you think of the complete absence
of TLS alerts from TLS peers running on top of Microsoft SChannel
or apps that produce utterly useless error messages like MSIE 6/7/8.

(the latter looks somewhat like an inbreed problem -- when ones
 implementation fails to implement part of the spec, then
 black-box testing with oneself can not possibly cover
 a sensible interop with that part of the spec.)

> 
> On the other hand, my email program gives me an option to use 
> "STARTTLS". Even after I took packet captures of the connection process 
> and observed it correctly negotiating the use of encryption, I still 
> cannot tell if my email is vulnerable to a downgrade attack. The only 
> way to find out is by performing exhaustive testing with an attack tool, 
> or by direct inspection of the source code!

Black-box testing of security protocols with shelved has never produced
any meaningful information about protocol compliance or security and
never will.  Unless a protocol uses a fail-safe design by itself,
you will always need specialized interop tests with test tools that
can produce all sorts of very security-relevant deviations from
the communication between ordinary applications.


When I built GSSTEST to test GSS-API interoperability ~10 years ago,
I added test cases for common usage/configuration errors and typos
as well as test for various modifications of the stream of protected
messages to get an idea how implementations react (replay, reflection,
duplication, loss, reordering, truncation, extension, corruption)
and whether implementations detect the modifications, how they report it,
and whether they can get back in sync with the peer after a detected
modification (as GSS-API allows to make these errors non-fatal for the
underlying security context).

While most of the implementations were relatively well-behaved
for usage/configuration errors and typos, the results for modified
message streams were somewhat disappointing, so that we excluded
that part from the interoperability certification with our app.

When testing modified message streams, leaking memory was a pretty
common "mild" reaction.


-Martin