Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)

[Nicolas Williams <Nicolas.Williams@oracle.com>]

On Mon, Nov 08, 2010 at 03:46:44PM -0600, Marsh Ray wrote:
> On 11/08/2010 02:24 PM, Nicolas Williams wrote:
> 
> >>* Developers don't have to code support for configuration
> >
> >When was the last time you saw a major IM or e-mail client that didn't
> >let you toggle TLS?  I can't remember when I last saw such a thing.
> 
> It's awful, isn't it?

I'm not sure.  It's not always the case that you have a trust path to a
server, so if we force TLS on all the time then we're also training
users to do SSH leap-of-faith (or worse, if the client isn't very good).
Now, SSH leap-of-faith is actually a pretty good solution, so maybe
that's OK.  But we'd still be training users to keep clicking "OK [give
all my money to the bad guy]".

> >The only benefit of a "secure-only port number" is that you don't have
> >to make sure that the server requires TLS -- chances are near 100% it
> >just won't work if it doesn't, in which case the problem is self-
> >correcting (user files ticket, admins fix the problem).
> 
> I.e., the default failure mode is secure, rather than insecure.

Only on the server side.  If the firewall is not close to the client
then the client can still fallback on insecure connections.  In many
cases it's the client that matters most.

Nico
--