Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)

Yoav Nir <ynir@checkpoint.com> Thu, 10 February 2011 07:19 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tsvwg@core3.amsl.com
Delivered-To: tsvwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id ECFDA3A68C5; Wed, 9 Feb 2011 23:19:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xo+th-pbLZOG; Wed, 9 Feb 2011 23:19:09 -0800 (PST)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by core3.amsl.com (Postfix) with ESMTP id 974673A68A9; Wed, 9 Feb 2011 23:19:08 -0800 (PST)
X-CheckPoint: {4D539177-20000-1B221DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id p1A7JINS006850; Thu, 10 Feb 2011 09:19:18 +0200
Received: from il-ex03.ad.checkpoint.com (194.29.34.71) by il-ex01.ad.checkpoint.com (194.29.34.26) with Microsoft SMTP Server (TLS) id 8.2.255.0; Thu, 10 Feb 2011 09:19:18 +0200
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex03.ad.checkpoint.com ([194.29.34.71]) with mapi; Thu, 10 Feb 2011 09:19:18 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Chris Newman <chris.newman@oracle.com>
Date: Thu, 10 Feb 2011 09:19:15 +0200
Subject: Re: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)
Thread-Topic: [TLS] Security concerns around co-locating TLS and non-secure on same port (WGLC: draft-ietf-tsvwg-iana-ports-08)
Thread-Index: AcvI8tQluol13oALTNiL9FBwZWuVOQ==
Message-ID: <D841BE54-6ACC-4677-B8B5-F8F00A8745E4@checkpoint.com>
References: <4CD76B1B.5030308@ericsson.com> <D8B3FDB7A62612A570324BEB@nifty-silver.us.oracle.com>
In-Reply-To: <D8B3FDB7A62612A570324BEB@nifty-silver.us.oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Fri, 11 Feb 2011 03:00:39 -0800
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, "tls@ietf.org" <tls@ietf.org>, tsvwg <tsvwg@ietf.org>
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tsvwg>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Feb 2011 07:19:10 -0000

I have to disagree with this.

On Feb 10, 2011, at 4:12 AM, Chris Newman wrote:

> I know I'm very late on this topic, but my position differs from others so 
> I'll comment.
> 
> I can not deny that separate-port for SSL is simpler to implement on the 
> server side (having done both). Since the odds of security bugs increases 
> with the amount of code, I must conclude that separate-port SSL is more 
> secure for _implementers_ and _implementations_ for that reason alone.
> 
> However, I believe STARTTLS is more secure for _operators_ and 
> _administrators_. The separate port model creates an illusion that there is 
> a "secure" and "insecure" variant of the protocol and that a single 
> firewall setting magically makes the application secure. In general, this 
> is not true. Most servers have several security settings and the default 
> settings have to compromise between common practice, secure-by-default 
> practice, deployability, management complexity and usability. There is, in 
> general, no way to make a server installation secure for a given site other 
> than to understand the security settings that server provides and set them 
> properly.
> 
> A protocol that uses STARTTLS thus has the advantage of forcing the 
> administrator/operator to look at the server's security settings to make 
> the installation secure, thus increasing the odds of success relative to 
> the separate-port model where an administrator might falsely assume they're 
> done after blocking the non-SSL port.

I think this is a recipe for failure. What you're saying here, is that by using separate ports, you cannot use the firewall to prevent non-secure connections and this forces the administrator to configure the server properly.

There are several things wrong with this:
1. It does not force the administrator to configure the server properly. At best, it forces them to find the "force SSL" checkbox and check it. That has pretty much the same effect as forcing this on the firewall. Some administrators will use any opportunity to configure the server wrong.
2. You underestimate firewalls. Modern firewalls can examine connections and cut them off if STARTTLS is not initiated in time. So the administrator still has the option of "fixing it in the firewall".

In short, you can't force administrators to do the right thing. Ever.