IETF Logo Mail Archive

Re: [Uta] Adoption call for draft-sheffer-uta-rfc7525bis-00

Keith Moore <moore@network-heretics.com> Fri, 01 May 2020 23:43 UTC

Return-Path: <moore@network-heretics.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 022843A151C for <uta@ietfa.amsl.com>; Fri, 1 May 2020 16:43:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OJJboXsyxQ99 for <uta@ietfa.amsl.com>; Fri, 1 May 2020 16:43:42 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAE2B3A151B for <uta@ietf.org>; Fri, 1 May 2020 16:43:41 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id F3B2A5C0311; Fri, 1 May 2020 19:43:40 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Fri, 01 May 2020 19:43:40 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=mGdo4+ Fml/Ifu8JpWKLpjHLD5NcZurIbYCtouWSBLmc=; b=Uxk512RLlE+59YHp91Mnhn dLC7m0SNz/zneh9P0/FZKO1Z1ayRT4FRZpVP9sILWyfpC0A2QWC4eNlmJk5k3YbX x1WfsyhgK3RR8jQc4VUtO2OCvNmeOm1o9pqiECsQSFgSDO3RwZfeEJ6h+Yo2Fqnh o8XU8yZuLkr3QNGNGVmAgk1CTyB6lEzkSRVCMjE6CrDTErotX5xQX+rGUDYNzVU3 23WeO/JOfMSGoppRyZzXVsW+mMGSShSCydLZpQO1FmF9MpDjuesY76GVmW9X0gO5 YFFxD8YBfNvz5p8qWgIbu5S54I0hUJ2XqBvPC2z3sP44o1mv3T1Im+sjXrZonKiw ==
X-ME-Sender: <xms:LLSsXiOE5sw3gk1o2z7nIsNWe4V_-D_DGJMQ0rqhHJHAx24tkHX4rw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrieekgddvgecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepuffvfhfhkffffgggjggtsegrtderre dtfeejnecuhfhrohhmpefmvghithhhucfoohhorhgvuceomhhoohhrvgesnhgvthifohhr khdqhhgvrhgvthhitghsrdgtohhmqeenucggtffrrghtthgvrhhnpeevfeetudeigedtle dvvddtudefjeejffdvfeetjeeiueelgfdtgfegtdffkeetudenucfkphepuddtkedrvddv uddrudektddrudehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilh hfrhhomhepmhhoohhrvgesnhgvthifohhrkhdqhhgvrhgvthhitghsrdgtohhm
X-ME-Proxy: <xmx:LLSsXvbFktWcYfsZfkZyw1NT9vfRNg873ix2gLzoXP1gy0hTIyccjQ> <xmx:LLSsXgbVjZ-inzEyQdFbQ4jpPHpbYsXsdg3ZvOCK_SlwvAsifsqAUg> <xmx:LLSsXmTMiaRpG48dbhwzsKYSb9uKTQTi_4ZPdpyW01v988m_uq_Pzg> <xmx:LLSsXnNKzFZFh1eBoQggSgOdZAyVNoLewvXFOsySTfYRYMLgn3ihLw>
Received: from [192.168.1.97] (108-221-180-15.lightspeed.knvltn.sbcglobal.net [108.221.180.15]) by mail.messagingengine.com (Postfix) with ESMTPA id 003B73280063; Fri, 1 May 2020 19:43:39 -0400 (EDT)
To: Eric Rescorla <ekr@rtfm.com>
Cc: uta@ietf.org
References: <004801d61bae$08a61590$19f240b0$@smyslov.net> <dfe39508-b37a-f008-91d3-cb36bcb84ae1@network-heretics.com> <CABcZeBP0_Jq1v9j5pDL4Ne_+5CyXuimJq90MLGzNME9zoHh2bw@mail.gmail.com>
From: Keith Moore <moore@network-heretics.com>
Message-ID: <cd965903-17fe-4374-9e18-7a5107fa6e47@network-heretics.com>
Date: Fri, 01 May 2020 19:43:39 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBP0_Jq1v9j5pDL4Ne_+5CyXuimJq90MLGzNME9zoHh2bw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------013695460FD87B864CDE4100"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/xMFxXaasuokV6ih2qEg6UODF_P4>
Subject: Re: [Uta] Adoption call for draft-sheffer-uta-rfc7525bis-00
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 May 2020 23:43:44 -0000

On 5/1/20 6:48 PM, Eric Rescorla wrote:

> On Thu, Apr 30, 2020 at 7:59 PM Keith Moore 
> <moore@network-heretics.com <mailto:moore@network-heretics.com>> wrote:
>
>     People do not always have the luxury of upgrading their clients and
>     servers to versions that support the recent TLS.    Some legacy
>     hardware
>     has firmware that cannot be upgraded because no upgrades are
>     available.   Service providers do not always have the leverage to
>     insist
>     that their customers upgrade, or the luxury of abandoning
>     customers. etc.
>
>
> Somewhat tangentially from the topic at hand: if you are running a 
> piece of hardware that cannot upgrade its TLS stack at all, you quite 
> likely have a number of serious unpatched vulnerabilities, and should 
> reconsider whether it is safe to have that hardware attached to the 
> Internet. Of course, you might be running some ESR software where you 
> can only take security releases, in which case this does not apply.

Quite often the issue is not the hardware, but the lack of support.  In 
my experience, many appliances with IP interfaces have no long-term 
support to fix security issues, because (for various reasons) there's no 
revenue stream to support it, and there was never any plan to provide 
long-term support.   But the problem is even deeper than that - 
customers expect to pay for the product up front and little if anything 
for ongoing support. Even if the vendor wanted to sell the long term 
support contract there's little chance that the customer would pay for 
it.  (I'm thinking industrial markets here, but consumer hardware often 
has similar issues.)

(And sometimes the compilers, linkers, etc. needed to build a new 
version of the device firmware are not easily found, and sometimes those 
tools don't run on newer operating systems, so upgrading these platforms 
can be much more complicated than just updating the source code and 
recompiling.)

>
>     I also think it's odd that there are recommendations like this
>     that say
>     "don't support TLS x.y" but say nothing about not supporting
>     cleartext
>     for protocols that still have a cleartext mode.  Even SSL 1.0 is
>     probably better than cleartext (at least from a security
>     perspective, if
>     not from a support burden perspective) as long as it's not trusted
>     to be
>     secure.
>
>
> While perhaps technically true, for the reasons above I believe this 
> to be irrelevant: TLS 1.2 is nearly 12 years old. At this point, any 
> implementation which does not support it should be presumed to be 
> insecure regardless of our opinion on the specific protocols it supports.

I agree that such devices are likely insecure, but there are still 
devices in service that only speak TLS 1.0 or 1.1.   Are we going to 
insist that no standards-conforming peer programs should be able to 
communicate with them?   (I fully agree that new standards-conforming 
peer programs should not label such connections as "secure")

Keith

v2.23.0 | Report a Bug | By Email