IETF Logo Mail Archive

Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)

Nicolas Williams <Nicolas.Williams@oracle.com> Mon, 08 November 2010 23:30 UTC

Return-Path: <Nicolas.Williams@oracle.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 54DFF3A6914; Mon, 8 Nov 2010 15:30:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.445
X-Spam-Level:
X-Spam-Status: No, score=-6.445 tagged_above=-999 required=5 tests=[AWL=0.153, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6sJNgIWvgjec; Mon, 8 Nov 2010 15:30:50 -0800 (PST)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id 10E183A68FD; Mon, 8 Nov 2010 15:30:48 -0800 (PST)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id oA8NV6lF013653 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 8 Nov 2010 23:31:08 GMT
Received: from acsmt355.oracle.com (acsmt355.oracle.com [141.146.40.155]) by acsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id oA7NEL5N018909; Mon, 8 Nov 2010 23:31:03 GMT
Received: from abhmt006.oracle.com by acsmt354.oracle.com with ESMTP id 759001911289259053; Mon, 08 Nov 2010 15:30:53 -0800
Received: from oracle.com (/129.153.128.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 08 Nov 2010 15:30:53 -0800
Date: Mon, 08 Nov 2010 17:30:49 -0600
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: Richard Hartmann <richih.mailinglist@gmail.com>
Subject: Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)
Message-ID: <20101108233048.GW6536@oracle.com>
References: <E1PFKZ3-0002jp-Bu@login01.fos.auckland.ac.nz> <p06240843c8fd6c508084@130.129.55.1> <20101108201218.GN6536@oracle.com> <AANLkTinxOvwMXGTH0eOifYQ_vMBx-ZfmOrCD_O=7msHn@mail.gmail.com> <20101108222257.GV6536@oracle.com> <AANLkTi=Z8p11rfRyiWdaY75pNQPxWhy+bQTJWAEkm1Yo@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <AANLkTi=Z8p11rfRyiWdaY75pNQPxWhy+bQTJWAEkm1Yo@mail.gmail.com>
User-Agent: Mutt/1.5.20 (2010-03-02)
X-Mailman-Approved-At: Tue, 09 Nov 2010 00:06:07 -0800
Cc: tls@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>, tsvwg@ietf.org
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2010 23:30:51 -0000

On Tue, Nov 09, 2010 at 12:19:25AM +0100, Richard Hartmann wrote:
> On Mon, Nov 8, 2010 at 23:22, Nicolas Williams
> <Nicolas.Williams@oracle.com> wrote:
> > If the firewall is not close to the client then the client can still
> > fallback on no TLS.
> 
> True. I understood your example as "if you only allow TLS, an
> overloaded port makes things easier for the firewall admin" which I
> did not agree with.

Provided that all servers and clients of interest implement the the app
protocol on the raw TLS ports, then yes, it's easier for the firewall
admin to only open the raw TLS ports.

> > There's trade-offs all over.  I'm not sure that this one is worth all
> > that much either way.  I prefer StartTLS over having two ports for
> > everything.
> 
> I doubt that everyone will rush to register new ports.

But ports are a limited commodity.

> >  I might also be happy with forcing TLS on always for new
> > ports,
> 
> IMO, this is not realistic.
> 
> > but I do worry about training users to click through the
> > "is this the right server" dialog ("leap-of-faith").
> 
> Agreed.

So what you propose is... what exactly?  That every application protocol
have raw TLS and non-TLS (but with StartTLS?) ports?  Or that every
application be based on HTTP(S)?

I'm proposing this: stop the FUD regarding StartTLS, bake it into all
new app protocols where TLS is appropriate.  In existing apps that have
both raw TLS and non-TLS ports, leave well enough alone.

Nico
--

v2.23.0 | Report a Bug | By Email