Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)

Marsh Ray <marsh@extendedsubset.com> Tue, 09 November 2010 02:47 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3A0293A68FB; Mon, 8 Nov 2010 18:47:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[AWL=-0.111, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xQEtHWmVWSPD; Mon, 8 Nov 2010 18:47:28 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 1BC683A6911; Mon, 8 Nov 2010 18:47:26 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1PFeFQ-000NDU-O6; Tue, 09 Nov 2010 02:47:48 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 2BF486019; Tue, 9 Nov 2010 02:47:46 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18FV90yT3jBo5UyqZSZdZPgir/iHIveOWs=
Message-ID: <4CD8B652.50907@extendedsubset.com>
Date: Mon, 08 Nov 2010 20:47:46 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.15) Gecko/20101027 Thunderbird/3.0.10
MIME-Version: 1.0
To: Nicolas Williams <Nicolas.Williams@oracle.com>
Subject: Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)
References: <E1PFKZ3-0002jp-Bu@login01.fos.auckland.ac.nz> <p06240843c8fd6c508084@130.129.55.1> <20101108201218.GN6536@oracle.com> <AANLkTinxOvwMXGTH0eOifYQ_vMBx-ZfmOrCD_O=7msHn@mail.gmail.com> <20101108222257.GV6536@oracle.com> <AANLkTi=Z8p11rfRyiWdaY75pNQPxWhy+bQTJWAEkm1Yo@mail.gmail.com> <20101108233048.GW6536@oracle.com>
In-Reply-To: <20101108233048.GW6536@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Tue, 09 Nov 2010 00:06:07 -0800
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, tls@ietf.org, tsvwg@ietf.org, Richard Hartmann <richih.mailinglist@gmail.com>
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2010 02:47:30 -0000

On 11/08/2010 05:30 PM, Nicolas Williams wrote:
>
> But ports are a limited commodity.

> So what you propose is... what exactly?  That every application protocol
> have raw TLS and non-TLS (but with StartTLS?) ports?  Or that every
> application be based on HTTP(S)?
>
> I'm proposing this: stop the FUD regarding StartTLS, bake it into all
> new app protocols where TLS is appropriate.  In existing apps that have
> both raw TLS and non-TLS ports, leave well enough alone.

Are people actually making that many new app protocols not based on TCP 
port 443?

It seems like the general trend is to run all new things over TCP 443 
whether it fits the HTTP 'web services' model or not. Because, 
ironically, everything else is more likely to be "managed" out of 
existence by the firewall admin. :-)

Microsoft, for example, has that VPN protocol that transparently 
multiplexes on that port. There's also the "next protocol notification" 
proposal being circulated.

- Marsh