Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)

Magnus Westerlund <magnus.westerlund@ericsson.com> Mon, 08 November 2010 10:11 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 30A133A697D; Mon, 8 Nov 2010 02:11:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.632
X-Spam-Level:
X-Spam-Status: No, score=-106.632 tagged_above=-999 required=5 tests=[AWL=-0.033, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ze+O7EgEmG3q; Mon, 8 Nov 2010 02:11:08 -0800 (PST)
Received: from mailgw9.se.ericsson.net (mailgw9.se.ericsson.net [193.180.251.57]) by core3.amsl.com (Postfix) with ESMTP id 0C32D3A688D; Mon, 8 Nov 2010 02:11:06 -0800 (PST)
X-AuditID: c1b4fb39-b7b54ae000003464-e0-4cd7cccf8229
Received: from esealmw128.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw9.se.ericsson.net (Symantec Mail Security) with SMTP id 50.6B.13412.FCCC7DC4; Mon, 8 Nov 2010 11:11:27 +0100 (CET)
Received: from esealmw128.eemea.ericsson.se ([153.88.254.176]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Mon, 8 Nov 2010 11:11:27 +0100
Received: from [153.88.16.238] ([153.88.16.238]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Mon, 8 Nov 2010 11:11:27 +0100
Message-ID: <4CD7CCCA.20304@ericsson.com>
Date: Mon, 08 Nov 2010 18:11:22 +0800
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; sv-SE; rv:1.9.2.12) Gecko/20101027 Thunderbird/3.1.6
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Subject: Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)
References: <E1PFKZ3-0002jp-Bu@login01.fos.auckland.ac.nz>
In-Reply-To: <E1PFKZ3-0002jp-Bu@login01.fos.auckland.ac.nz>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-OriginalArrivalTime: 08 Nov 2010 10:11:27.0505 (UTC) FILETIME=[4E5B4010:01CB7F2D]
X-Brightmail-Tracker: AAAAAA==
Cc: "tsvwg@ietf.org" <tsvwg@ietf.org>, "mike-list@pobox.com" <mike-list@pobox.com>, "paul.hoffman@vpnc.org" <paul.hoffman@vpnc.org>, "tls@ietf.org" <tls@ietf.org>
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2010 10:11:14 -0000

Peter Gutmann skrev 2010-11-08 13:46:
> I kinda missed this in the original, but I can't let it go unchallenged:
> 
>> My summary of that comment is that STARTTLS for SMTP (RFC 3207) has
>> shown to have some security issues, be complexer to implement than using
>> two ports and thus less popular.
> 
> What is this claim based on?  About a year after the initial STARTTLS spec was
> published, I and a few other security geeks did some informal surveys of mail
> being processed at a couple of large sites and found that STARTTLS, after a
> year, was securing more mail than all other email encryption protocols
> combined, and that was a decade ago.  (And going back to Paul Hoffman's
> original post, as the author of the world's most successful email encryption
> RFC I don't think he has anything to apologise about).
> 
> So, what research or figures is the above claim, that STARTTLS is less popular
> than using port 465, based on?
> 

Sorry, for the confusion I made a mistake in summarization. Paul has
straighten this out.

Cheers

Magnus Westerlund

----------------------------------------------------------------------
Multimedia Technologies, Ericsson Research EAB/TVM
----------------------------------------------------------------------
Ericsson AB                | Phone  +46 10 7148287
Färögatan 6                | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------