IETF Logo Mail Archive

Re: [Uta] WGLC on draft-ietf-uta-tls-attacks-02

Chris Newman <chris.newman@oracle.com> Fri, 29 August 2014 20:47 UTC

Return-Path: <chris.newman@oracle.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 670BC1A6FDD for <uta@ietfa.amsl.com>; Fri, 29 Aug 2014 13:47:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.269
X-Spam-Level:
X-Spam-Status: No, score=-4.269 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_48=0.6, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VRyFIB_cYALN for <uta@ietfa.amsl.com>; Fri, 29 Aug 2014 13:47:29 -0700 (PDT)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D9A11A6FDC for <uta@ietf.org>; Fri, 29 Aug 2014 13:47:29 -0700 (PDT)
Received: from ucsinet21.oracle.com (ucsinet21.oracle.com [156.151.31.93]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s7TKlRa4027271 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <uta@ietf.org>; Fri, 29 Aug 2014 20:47:28 GMT
Received: from hermes-fe-2.easd.brm.oracle.com (hermes-fe-2.easd.brm.oracle.com [10.79.248.11]) by ucsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id s7TKlRmP026801 for <uta@ietf.org>; Fri, 29 Aug 2014 20:47:27 GMT
MIME-version: 1.0
Content-type: multipart/mixed; boundary="Boundary_(ID_/ctYMrdG2bhnnpRnHOAn1Q)"
Received: from [10.145.239.205] (nifty-silver.us.oracle.com [10.145.239.205]) by hermes-fe-2.easd.brm.oracle.com (Oracle Communications Messaging Server 7.0.5.31.0 64bit (built May 5 2014)) with ESMTPSA id <0NB300L0T5R0UJ00@hermes-fe-2.easd.brm.oracle.com> for uta@ietf.org; Fri, 29 Aug 2014 13:47:26 -0700 (PDT)
Date: Fri, 29 Aug 2014 13:47:23 -0700
From: Chris Newman <chris.newman@oracle.com>
To: Leif Johansson <leifj@sunet.se>, uta@ietf.org
Message-id: <E4765640DA12D7204FDCCD37@nifty-silver.us.oracle.com>
In-reply-to: <53F24630.6030701@sunet.se>
References: <53F1B167.3000202@mnt.se> <5D7E66F6642C1E1A80820A9D@96B2F16665FF96BAE59E9B90> <53F24630.6030701@sunet.se>
X-Mailer: Mulberry/4.0.8 (Mac OS X)
X-Source-IP: ucsinet21.oracle.com [156.151.31.93]
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/dPrjLl9gryCDHIhsxmBOP26Mzso
Subject: Re: [Uta] WGLC on draft-ietf-uta-tls-attacks-02
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Aug 2014 20:47:31 -0000

--On August 18, 2014 20:30:08 +0200 Leif Johansson <leifj@sunet.se> wrote:
> On 2014-08-18 20:01, Chris Newman wrote:
>> --On August 18, 2014 9:55:19 +0200 Leif Johansson <leifj@mnt.se> wrote:
>>> This starts a 2 week working group last call on
>>> draft-ietf-uta-tls-attacks-02. Please send any final comments on the
>>> list by 1/9.
>> 
>> I had previously spent the time to write suggested text for the draft
>> (message attached).
>> 
>> It seems that suggested text was ignored. I strongly object to advancing this
>> draft without having my suggested text considered.
>> 
>> If I see a statement along the lines "your suggested text was not included
>> because of X", and the WG has rough consensus on that statement, that's fine.
>> 
>> But ignoring suggested text is not fine.
> 
> You got a response from stpeter
> http://www.ietf.org/mail-archive/web/uta/current/msg00476.html in which
> he pushed back on some of your text.

His comment on the first paragraph was "That seems accurate". He objected to
the last paragraph. I wrote a reply (attached) where I suggested dropping the
last paragraph as a compromise.

So absent other commentary, I believe the first paragraph should go in the
document:

===
2.9 STARTTLS Command Injection Attack (CVE-2011-0411)

A number of IETF application protocols have used an application-level command,
usually STARTTLS, to upgrade a clear-text connection to use TLS. Multiple
implementations of STARTTLS had a flaw where an application-layer input buffer
retained commands that were pipelined with the STARTTLS command, such that
commands received prior to TLS negotiation are executed after TLS negotiation.
This problem is resolved by requiring the application-level command input
buffer to be empty before negotiating TLS. Note that this flaw lives in the
application layer code and does not impact the TLS protocol directly.
===

This is an important motivation for design decisions in:
   http://tools.ietf.org/html/draft-newman-email-deep-02

> There was no further discussion on that thread so I don't think you got
> ignored, rather you didn't respond to stpeter's response to you.

I did respond to stpeter's message (response attached); I'm not sure why my
response is not in the archive.

		- Chris
--- Begin Message --- 
--On July 21, 2014 16:16:07 -0600 Peter Saint-Andre <stpeter@stpeter.im> wrote:
> Hi Chris, thanks for the proposed text. That's always appreciated.
> 
> On 7/21/14, 6:46 PM, Chris Newman wrote:
>> I've reviewed draft-ietf-uta-tls-attacks-01.txt and support its publication.
>> I believe the document would be improved by including CVE numbers for the
>> vulnerabilities in the document.
>> 
>> I had volunteered to write text describing the STARTTLS attack. Here's
>> strawman text:
>> 
>> ---
>> 2.9 STARTTLS Command Injection Attack (CVE-2011-0411)
>> 
>> A number of IETF application protocols have used an application-level
>> command, usually STARTTLS, to upgrade a clear-text connection to use TLS.
>> Multiple implementations of STARTTLS had a flaw where an application-layer
>> input buffer retained commands that were pipelined with the STARTTLS
>> command, such that commands received prior to TLS negotiation are executed
>> after TLS negotiation. This problem is resolved by requiring the
>> application-level command input buffer to be empty before negotiating TLS.
>> Note that this flaw lives in the application layer code and does not impact
>> the TLS protocol directly.
> 
> That seems accurate.
> 
>> Because several independent implementations had the same problem, use of
>> STARTTLS in new IETF protocols is discouraged.
> 
> I don't think it's the role of draft-ietf-uta-tls-attacks (which, if
> approved, would be an Informational RFC) to discourage the use of STARTTLS in
> new IETF protocols.

Fair enough, let's drop that sentence from the strawman text for this document.

> (I also don't think that the presence of bugs in implementations necessitates
> the kind of changes you have recommended here - instead, those bugs need to
> be fixed.)

What CVE-2011-0411 demonstrated is there's a class of implementation security
bugs that are possible with STARTTLS and do not occur with implicit TLS. Of
course those bugs should already have been fixed (and when we revise
specifications including STARTTLS we should mention the buffer-clearing
requirement in the updates). But even if we don't say so in any IETF
specifications, future new designs show avoid unnecessary opportunities for
implementation security bugs. That's simply good engineering. This is not to
say STARTTLS is fundamentally wrong-minded, or that we should try to deprecate
it in protocols that already use it or have a good reason to use it. The
underlying goal is more use of TLS and simpler use of secure TLS. To me, that
goal trumps many other considerations.

>> This attack is a key factor in changing the bias of the application area with
>> respect to use of STARTTLS
> 
> Is that "bias" captured in a document that has the consensus of the
> application area?

Not yet. But there is relevance to UTA because it impacts how we deal with
email protocols in particular. We've never documented or standardized imaps or
pop3s ports, they just got registered by a quirk of history. We've had STARTTLS
documented since RFC 2595 (June 1999). That document explicitly discourages use
of imaps and pop3s (and I believe all of the reasons for doing so were correct
except one of them). However, when we go out and measure what's deployed, there
are many sites that only offer imaps/pop3s and not STARTTLS+imap/POP and no
sites that offer STARTTLS without also offering imaps/pop3s. Whether or not I
like the outcome, the industry prefers separate-port SSL/TLS and will deploy it
more widely than STARTTLS. So I was wrong to prefer STARTTLS in the past,
regardless of the validity of my reasons.

Even SMTP submission where port 465 was de-registered, the industry still makes
heavy use of that port for Submission+TLS, often instead of the documented
SMTP+STARTTLS mechanism.

> Furthermore, has the application area discovered how to
> weigh the no-STARTTLS bias against the port-conservation bias captured in RFC
> 6335?

Registering a TLS-only port for a new protocol is sensible. What the
port-conservation bias means is that registering a non-TLS port for a new
protocol needs to be justified.

> IMHO this topic is probably out of scope for the UTA WG, and deserves to be
> openly aired in the application area so that consensus can be reached there.
> Until such a consensus is reached, I don't think we can make such a strong
> statement in any of the UTA documents.

I don't agree the topic is out of scope for UTA WG, but I agree it needs more
discussion and don't care where that discussion happens.

		- Chris
 

_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
--- End Message ---

v2.23.0 | Report a Bug | By Email