Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)
Marsh Ray <marsh@extendedsubset.com> Tue, 09 November 2010 01:46 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5E3433A67EC; Mon, 8 Nov 2010 17:46:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MJeu2D5mcu3u; Mon, 8 Nov 2010 17:46:35 -0800 (PST)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 984F83A691C; Mon, 8 Nov 2010 17:46:35 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1PFdIX-0001ks-Tg; Tue, 09 Nov 2010 01:46:58 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id AEA1A6019; Tue, 9 Nov 2010 01:46:56 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1+qei+kO6z0PDoIlxrX5WotsI/+pHpYKW4=
Message-ID: <4CD8A811.1080801@extendedsubset.com>
Date: Mon, 08 Nov 2010 19:46:57 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.15) Gecko/20101027 Thunderbird/3.0.10
MIME-Version: 1.0
To: Nicolas Williams <Nicolas.Williams@oracle.com>
Subject: Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)
References: <E1PFKZ3-0002jp-Bu@login01.fos.auckland.ac.nz> <p06240843c8fd6c508084@[130.129.55.1]> <4CD83312.5060000@extendedsubset.com> <20101108202407.GO6536@oracle.com> <4CD86FC4.4070308@extendedsubset.com> <20101108221016.GT6536@oracle.com>
In-Reply-To: <20101108221016.GT6536@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Tue, 09 Nov 2010 00:06:07 -0800
Cc: tls@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>, tsvwg@ietf.org
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2010 01:46:37 -0000
Sorry Nico, this is not so much a reply to you specifically as I started thinking and writing about the SSH leap-of-faith/trust-on-first-use model. On 11/08/2010 04:10 PM, Nicolas Williams wrote: > > It's not always the case that you have a trust path to a > server, Why not? Or, rather, isn't that a reasonable prerequisite for security? Shouldn't the discussion of a secure protocol be able to presume it, much like RFCs tend to assume the existence of electrical power or non-backdoored computer hardware to run on? > so if we force TLS on all the time then we're also training > users to do SSH leap-of-faith (or worse, if the client isn't very good). > Now, SSH leap-of-faith is actually a pretty good solution, so maybe > that's OK. But we'd still be training users to keep clicking "OK [give > all my money to the bad guy]". The old "Click 'OK' to fail or click 'Cancel' to not succeed." dialog. The merits and limitations of leap-of-faith or trust-on-first-use (ToFU) have gotten a lot of discussion over the years, but I don't think there's an agreed-upon set of principles for deciding when it's appropriate for use in any given design. Most of us probably feel that it seems to work acceptably well in practice for administering servers via SSH, but is no good for general e-commerce web connections. Hard to say why. With ToFU, an unknown server to which the client has never previously attempted to connect is trusted implicitly, even with a higher level of privilege than an authenticated trusted server. Unauthenticated server X is allowed to permanently set the auth credentials of any arbitrary new target server T, whereas the fully authenticated and trusted server A is not. Aside from that, I think the thing that bugs me about ToFU is the definition of the term "first use". This subtly introduces state into the client side where it did not exist previously. For every possible target server, the client must be able to answer "Have I ever connected to this server before?". It's easy enough to think that the client doesn't need state on "every possible" target server and that he can just store the list of those that he has seen. But it's not so simple. When the question is posed of the data "have I seen this server before?" now a false negative outcome translates into vulnerability. But for most systems, it's usually action based on a false positive result that is the more costly to remediate. Many systems experience little consequence from false negatives (e.g., a missed cache opportunity). This relates to the concept that "it's very hard to prove a negative". In this case, the negative being accepted is "I have not used this server before". From a security design perspective, if there's something that's famously hard to do, you don't want your success at it to be a necessary condition for rejecting auth attempts from attackers. It really seems to go against a fundamental principle of cryptography: the legitimate parties can succeed with relatively easy computations whereas the attacker finds impractically hard logic problems stacked against him. But maintaining a mapping of servers to credentials on the client seems like a straightforward implementation task, something that we could implement reliably. But is it really? Many a developer has figured it would be simple to look for a server names in an x509 cert, but look how many issues that has raised. Why should looking up a server name in the client's ToFU history be different? (Except that, again, the failure mode is insecure in this case.) There's the one-shot timing attack: if MitM can be in a position to intercept a client's actual "first use" of a server, then he can supply fake credentials which allow him to impersonate the server indefinitely. There's a cookie-jar-overflow attack, too. No client can store an unlimited amount of server entries, so an attacker may be able to stuff entries in until the client software (or the user) is forced to discard some in order to make room for new ones. These attacks would likely be very practical for protocols involving HTTP or HTML because they allow an unauthenticated server to cause the client to initiate requests at arbitrary other servers. Frequently this capacity is used for things like precaching images on a web site, but an attacker could equivalently use it to preload one or more entries into the client's ToFU state. Even if a client presents a confirmation prompt to the user before adding an entry to the ToFU state (like SSH does), it could represent an information leak. An attacker could trigger requests to arbitrary servers and find out which ones the client had _ever_ accessed by the clients behavior when he goes to access those servers. Again, some other attackers could possibly preload false positive results which the first might misinterpret as evidence against the client. Also, the idea of "first use" is tied to the client system. Or to the user. Or to a specific user on the client system. Or something. The list of every web server your client system had ever connected to would obviously be confidential data. Yet, insofar as a client's loss of "first use" state represents a regression in its security, it needs to be continuously available too. What happens when the user transfers to another device? Aren't they obligated to back up that state and use it to initialize their new client system? What if you're the kind to get a new smartphone every few months. Do end up with less security than the person who's been running the same IE6 for the past 5 years? What if a server needs to revoke and start using new credentials for whatever reason? It's one thing to convince a single CA of a legitimate change in the server's credientials, but how would a popular site convince every client independently? Consider SSH's known_hosts files. If you're like me, you have used many SSH systems as clients over the years. I usually have filesystem permission bits protecting that file, but I don't consider it to contain anything interesting enough to think of as confidential either. When you have changed systems in the past, how often have you gone to the trouble of copying over your known_hosts file? I admit that I usually just accept a new first use of every server I access from the new client. Now consider the security of SSH if every random web page on the net were allowed to (or cause a prompt for) adding arbitrary entries to that file. >> I.e., the default failure mode is secure, rather than insecure. > > Only on the server side. If the firewall is not close to the client > then the client can still fallback on insecure connections. In many > cases it's the client that matters most. Good point. In that sense, egress rules on client-based firewalls could be as important as the inbound connections on the server side. - Marsh P.S. Just for the record, I do really like tofu (the curd) and eat it on a regular basis.
- Security concerns around co-locating TLS and non-… Magnus Westerlund
- Re: [TLS] Security concerns around co-locating TL… Paul Hoffman
- Re: [TLS] Security concerns around co-locating TL… Magnus Westerlund
- Re: [TLS] Security concerns around co-locating TL… Michael D'Errico
- Re: Security concerns around co-locating TLS and … Geoffrey Keating
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Marsh Ray
- Re: [TLS] Security concerns around co-locating TL… Marsh Ray
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Marsh Ray
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Richard Hartmann
- Re: [TLS] Security concerns around co-locating TL… Richard Hartmann
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Bill Frantz
- Re: [TLS] Security concerns around co-locating TL… Marsh Ray
- Re: [TLS] Security concerns around co-locating TL… Marsh Ray
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… t.petch
- Re: [TLS] Security concerns around co-locating TL… Marsh Ray
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Martin Rex
- Re: [TLS] Security concerns around co-locating TL… Marsh Ray
- Re: [TLS] Security concerns around co-locating TL… Martin Rex
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Marsh Ray
- Re: [TLS] Security concerns around co-locating TL… Martin Rex
- Re: [TLS] Security concerns around co-locating TL… Nicolas Williams
- Re: [TLS] Security concerns around co-locating TL… Marsh Ray
- Re: [TLS] Security concerns around co-locating TL… Matt DeMoss
- Re: [TLS] Security concerns around co-locating TL… Nico Williams
- Re: [TLS] Security concerns around co-locating TL… Chris Newman
- Re: [TLS] Security concerns around co-locating TL… Yoav Nir
- Re: [TLS] Security concerns around co-locating TL… Joe Touch