IETF Logo Mail Archive

Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)

Nicolas Williams <Nicolas.Williams@oracle.com> Thu, 11 November 2010 18:07 UTC

Return-Path: <Nicolas.Williams@oracle.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 06F353A6969; Thu, 11 Nov 2010 10:07:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.181
X-Spam-Level:
X-Spam-Status: No, score=-6.181 tagged_above=-999 required=5 tests=[AWL=-0.183, BAYES_00=-2.599, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zAdkw1AbQ+Xw; Thu, 11 Nov 2010 10:07:33 -0800 (PST)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id B88863A6A7D; Thu, 11 Nov 2010 10:07:33 -0800 (PST)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id oABI7wbC030141 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 11 Nov 2010 18:08:00 GMT
Received: from acsmt354.oracle.com (acsmt354.oracle.com [141.146.40.154]) by acsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id oABCLJJx005090; Thu, 11 Nov 2010 18:07:56 GMT
Received: from abhmt017.oracle.com by acsmt354.oracle.com with ESMTP id 770186561289498810; Thu, 11 Nov 2010 10:06:50 -0800
Received: from oracle.com (/129.153.128.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 11 Nov 2010 10:06:47 -0800
Date: Thu, 11 Nov 2010 12:06:38 -0600
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: "t.petch" <ietfc@btconnect.com>
Subject: Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)
Message-ID: <20101111180637.GE6536@oracle.com>
References: <p06240843c8fd6c508084@[130.129.55.1]> <4CD83312.5060000@extendedsubset.com> <20101108202407.GO6536@oracle.com> <4CD86FC4.4070308@extendedsubset.com> <20101108221016.GT6536@oracle.com> <4CD8A811.1080801@extendedsubset.com> <20101109035040.GA6536@oracle.com> <4CD98A16.4070004@extendedsubset.com> <20101109181114.GE6536@oracle.com> <007d01cb81bf$548f3880$4001a8c0@gateway.2wire.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <007d01cb81bf$548f3880$4001a8c0@gateway.2wire.net>
User-Agent: Mutt/1.5.20 (2010-03-02)
X-Mailman-Approved-At: Fri, 12 Nov 2010 08:06:55 -0800
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, tls@ietf.org, tsvwg@ietf.org, Marsh Ray <marsh@extendedsubset.com>
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Nov 2010 18:07:35 -0000

On Thu, Nov 11, 2010 at 05:41:15PM +0100, t.petch wrote:
> > Philosophy is fine, but the original poster proposed something concrete
> > (that we drop StartTLS and just always use raw TLS); we should have an
> > answer to that.  Mine is that the arguments against StartTLS are weak,
> > and the arguments for always using raw TLS are also weak.  I'm
> > unconvinced by the OP's and others' arguments against StartTLS.
> 
> To return to (what I see as) the main purpose of the thread, I too
> think that StartTLS is a good, if not an excellent idea; I see no 
> difference in the vulnerabilities (although my cryptanalysis is weak).

There's no need for cryptanalysis w.r.t. what happens before TLS starts:
it must all be in the clear (relative to the application; IPsec could be
involved, of course).

> Sadly, whenever I have been involved in a WG developing App-X 
> over TLS, my record of convincing the rest of the WG is 100% failure.

I think it's fine for _some_ applications to require TLS at all times.
For most applications I'd prefer StartTLS, but that's due to my port-
preserving bias.  Looks like we need guidance from the IETF here:

> Also, this decision, StartTLS or separate ports, tends to be taken 
> early in the development cycle, while the request to IANA will only materialise
> five years or so later, so back pressure from IANA or the IESG will then meet
> an immovable mountain.  Really, any advice to a WG needs to put in front
> of them about the time the BOF is approved, which I don't see this I-D 
> having any material impact on!

We should probably have a BCP indicating which method is preferred, so
we can flog it at WGs early on.

Nico
--

v2.23.0 | Report a Bug | By Email