IETF To Change TLS Implementation In Applications

← Back to Stories (view on slashdot.org)

IETF To Change TLS Implementation In Applications

Posted by timothy on Saturday December 14, 2013 @08:31PM from the nice-orderly-scramble dept.

Trailrunner7 writes "The NSA surveillance scandal has created ripples all across the Internet, and the latest one is a new effort from the IETF to change the way that encryption is used in a variety of critical application protocols, including HTTP and SMTP. The new TLS application working group was formed to help developers and the people who deploy their applications incorporate the encryption protocol correctly. TLS is the successor to SSL and is used to encrypt information in a variety of applications, but is most often encountered by users in their Web browsers. Sites use it to secure their communications with users, and in the wake of the revelations about the ways that the NSA is eavesdropping on email and Web traffic its use has become much more important. The IETF is trying to help ensure that it's deployed properly, reducing the errors that could make surveillance and other attacks easier."

20 of 80 comments (clear)

Min score:

Reason:

Sort:

Ok by trifish · 2013-12-14 21:09 · Score: 4, Insightful

Just, please, this time, try to be more careful about who joins your working groups. And especially what their true intentions are.
Sometimes when someone tries to "simplify deployment" or "offers insight to prevent user confusion", etc., you may want to think twice. History repeats itself, you know.
1. Re:Ok by bmimatt · 2013-12-14 21:34 · Score: 2
  
  And open it up for everyone on the Internet to be able to review. That's the only way to avoid sabotage. Github it.
2. Re:Ok by AHuxley · 2013-12-14 22:57 · Score: 2
  
  Re History repeats itself, you know.
  I would suggest reading all about Engima, Enigma after ww2, the NATO/embassy encryption with 'tempest' plain text and later sales of weakened global crypto machines with junk math, early cell phones....
  All this was well understood into the 1990's.
  Snowden now fills in the missing US telco and US crypto gaps in US science/gov/academia.
  A lot of trusted junk telco tech and code seems to have passed with great reviews :)
  http://it.slashdot.org/story/11/06/06/2045203/25-of-us-hackers-are-fbicia-informers
  
  --
  Domestic spying is now "Benign Information Gathering"
End of certificates, please? by d33tah · 2013-12-14 21:22 · Score: 5, Interesting

Does this mean that we'll finally give up on this sick certificate-based trust scheme? It's not like Moxie hadn't proposed his own solutions, even with implementations... why don't we make THESE internet standards? Making encryption stronger is just pointless if you can fake a ceritificate.
1. Re:End of certificates, please? by Anonymous Coward · 2013-12-14 21:33 · Score: 2, Informative
  
  The blame should not be put on using certificates but trusting an unknown certificate just because one of 500 or so certificate authorities signed it.
2. Re:End of certificates, please? by d33tah · 2013-12-14 21:36 · Score: 3, Interesting
  
  I agree. But that's what makes this model useless. We shouldn't outsource trust to CA's, but push it to the users. Let them decide who do they trust. If, after the VeriSign fiasco they don't trust VeriSign anymore, they should be able to revoke the trust without losing the ability to view 1/4 of the internet. Seriously, guys, go watch any Moxie's talk and you'll understand the issue much better.
3. Re:End of certificates, please? by Anonymous Coward · 2013-12-14 22:14 · Score: 2, Insightful
  
  Does this mean that we'll finally give up on this sick certificate-based trust scheme?
  No. There are many people and institutions that are fine with the existing scheme and are not interested in adopting new techniques to thwart the NSA or whomever. The US government, for instance, will not be adopting an anti-NSA mentality any time soon, so they're not going to walk away from traditional CAs. Many businesses see no jeopardy to their business model if they continue to use cryptographic techniques that are vulnerable to the NSA or other national governments; as long as those techniques are sufficient to avoid legal jeopardy (disclosure laws, etc.) in the nations they operate in they won't concern themselves with the issue. In fact, they will almost certainly conclude that pursuing new techniques specifically to overcome these vulnerabilities will draw unwanted attention.
  Sorry but there it is.
4. Re:End of certificates, please? by Skylinux · 2013-12-14 22:37 · Score: 2
  
  Let them decide who do they trust.
  It will fail right here. Most users can not be trusted to make informed decisions.
  How could they when they don't even know the difference between a hard drive, a modem or the case housing the individual components?
  I prefer your solution but the industry is not moving towards "more user rights".
  
  --
  Everyone who buys Wild Hunt will receive 16 specially prepared DLCs absolutely for free, regardless of platform.
5. Re:End of certificates, please? by SuricouRaven · 2013-12-15 00:39 · Score: 2
  
  So tell us, what else do you propose? CAs are useless as defending against intelligence services, but they do a pretty good job against your basic internet crime. There have been instances of fraudsters getting certificates incorrectly signed by social engineering and things like that, but such events are quite rare. A WoT model might work too, but it isn't going to offer much security against intelligence agencies either - it wouldn't be hard to influence various well-connected companies to endorse anything.
  The problem with any sort of trust model is that it's impossible to authenticate a service without either a pre-shared secret or a trusted third party. Mathematically, it's not solveable, at least in a general sense.
6. Re:End of certificates, please? by Anonymous Coward · 2013-12-15 00:42 · Score: 2, Funny
  
  Maybe the government could run a CA, and then we all just trust that one CA.
7. Re:End of certificates, please? by mysidia · 2013-12-15 02:59 · Score: 4, Interesting
  
  Making encryption stronger is just pointless if you can fake a ceritificate.
  We should start, by allowing certificates to have multiple signers
  Instead of everyone trusting a small number of CAs --- the certificate should bear a number of signatures, and you should be able to score a certificate based on how much you trust the signers.
8. Re:End of certificates, please? by IamTheRealMike · 2013-12-15 06:13 · Score: 2
  
  X.509 already supports this and complex, non-hierarchical trust schemes are frequently used.
  The problem is it doesn't make any difference because you still need to be able to connect to servers that are only signed by one CA, and you have no way to know ahead of time how many signers there should be for any given host. And if all clients accept one signer, why would anyone pay for two?
  This idea fails for another reason - many CA's validate your websites identity by connecting to it. If you take control of a server/domain name or MITM it temporarily, you can probably find at least 3 CA's that validate ID in the same way and get all three to issue a bogus cert.
  These are hard problems. Simple as that.
9. Re:End of certificates, please? by Zeinfeld · 2013-12-15 11:33 · Score: 2
  
  The CA model was never designed to do more than support Internet commerce. It was designed to be secure enough to exchange credit card information.
  CAs are not useless against defending against intelligence services, they are only vulnerable to being suborned by a limited number of such agencies, the ones that they have plant in. And any defection is visible on the Internet. Hence the use of schemes such as Comodo CertSentry and Google's Certificate Transparency which are designed to prevent covert subornation of a CA by making the results of the attack visible.
  One of the many reasons security is hard is that you have to defend against all the attacks, not just one particular one that someone is obsessing about. Nobody has proposed a replacement for the CA model that works as well within the existing constraints.
  Peter Eckersley proposed a scheme 'Sovereign Keys' that solves the hard problems of PKI by pretending that the system administrator will never ever make a mistake. Moxie's 'Convergence' is three years old now and we are still waiting for an actual written specification. The problem with Convergence is that it depends on a notary infrastructure that doesn't have a business model. So it is hard to see how the world of commerce is going to be keen on moving to an infrastructure that we know will have scaling issues.
  The CA model isn't prefect but it is the only part of the Internet security apparatus that fails rarely enough for the failures to still be news. McAfee fails to spot viruses on an hourly basis. There are serious security fixes for Windows, OSX and Linux every single month. Those don't make the news because they aren't news any more.
  The market for the proposals that are 'stronger' is essentially the same as the constituency that use PGP every day and use Tor and keep their money in BitCoin. It is not a negligible constituency but the people who are in it have to spend about a quarter of their waking moments managing their security.
  Web of Trust isn't perfect either. Choosing between the two is pointless because neither meets every need that the other meets. So instead of having the argument over which one to pick we should work on ways that let people use both in a seamless connected fashion.
  
  --
  Looking for an Information Security student project suggestion?
  Try http://dotcrimeManifesto.com/
10. Re:End of certificates, please? by thogard · 2013-12-15 11:59 · Score: 2
  
  GOSSIP is still the required email system for the US DOD and other government agencies. It is just that SNMP is an allowed migration plan thanks to two words I added to a very large document a long time ago. There is no functioning X.400 email system that I know of. Exchange was catching up with the very broken ISODE which had been the reference implementation for decades.
We did it wrong, let's do it wronger still. by VortexCortex · 2013-12-14 22:13 · Score: 2, Interesting

Consider this scenario: You're about to connect to a resource, but the service says you need to authenticate. So, a browser native login box pops up. You enter your credentials and those are hashed with the session nonce to key the symmetric ciphers, the connection then commences since the server already has a shared secret with you. It's not like HTTP Auth doesn't exist, it's just that TLS is ignorant of HTTP. If you have a secret GUID on the system, you can hash the domain name of the server with it to produce a unique user ID for each server. Same goes for a master password: HMAC( MPW, Domain + Salt ) = Session generator. HMAC( gen, nonce ) = session key. There, now you don't have to create a new account everywhere you go. One login for everywhere, and the sites can associate a nickname with the UID code if they want. Change your salt and you change all logins everywhere without having to change your password. Only time public key crypto is needed is when you exchange the UID and generator, for everything else use symmetric encryption with the pre shared secret. The window is small enough that PKI is moot.
Besides all the browsers explicitly trust cert roots in known enemy states, so PKI is moot anyway. FF > Preferences > Advanced > Certificates > View Certificates > Hong Kong Post... They can create a cert for Google.com without Google's permission and if they're a MITM, you get a big green secure bar and everything. No one checks the cert chain every time (shouldn't have to), and even if they did the govs can compel the CAs to generate certs under secret orders, or just infect them with a zero-day and do it themselves. All your retard is belong to IETF.
Oh, hey, while you brilliant bastards are at it, why don't you give us salted hashes in the HTML tags that pull in external resources? This way the encrypted page can specify validation codes for the external cache-able content and we can be sure it's not tampered with. Let's end that whole "mixed content" warning bullshit by making HTTP and TLS minimally aware of each other. <img src="..." hash="SHA2/base64: SUVURiBpcyBhbiBveHltb3Jvbi4K" salt="..."> Wow! How fucking difficult is that! Oh, snap! There must be some kind of alien super intelligence infecting my brain, hide your kids, hide your whitepapers!
Oh, That's Right. TRANSPORT Layer security. Ah, gotcha. Sorry, wouldn't want to make you all look like a bunch of morons by suggesting that the layers are just arbitrary lines you don't let interactions across for no damn reason except to further ensure nothing on the net is fucking secure. You know, not like it didn't take me all of one session thinking about this while taking a shit to figure out how you ruined everything, IETF. Internet Eradication Terrorist Fucks? That's what it means, doesn't it?
Earth: The longest running case study in how not to advance as a space faring race.
1. Re:We did it wrong, let's do it wronger still. by mattpalmer1086 · 2013-12-14 23:28 · Score: 4, Interesting
  
  Well, I can't really make out what you're proposing here.
  As far as I can see, the client side has three secrets to maintain - the GUID, master password and salt. If the GUID is unique to a computer, your accounts only work from a single machine, and if you lose the GUID then you lose access to all your accounts. Correct?
  The nonce is a "number used once" - i.e. randomly generated for each session in a cryptographically sound way.... so how do the server and client negotiate the nonce for each session? Does one pick it and encrypt it to send to the other? Do they both participate in picking it? Do they use something like Diffie-Hellman to arrive at the value?
  I really don't understand your point about changing the salt equals changing your logins without affecting your password. Do you mean if I wanted to lose access to all my accounts everywhere and begin again, I wouldn't have to change my password?
  And... how do you know you're talking to the right server in the first place? I don't see any server authentication at all in your proposal.
  That's enough for now. The one thing I've learned from studying protocols is that it's really, really hard to get right. Not because the people creating them are dumb or have malicious intent. It may well be time to start creating a new protocol to replace TLS eventually, using what we now know about trust, authenticated encryption, protecting the handshake and side channel attacks. And possibly using some new techniques in there, like identity-based encryption...
First things first, limiting CA's scope, please. by Anonymous Coward · 2013-12-14 23:06 · Score: 5, Interesting

One of the major problems is that currently no limits to what a CA can sign, and even though there is a urgent need to do major revamp to the protocol, I would like see first that TLS 1.next would at least fill that gap.
Can someone, please, if they can justify why for example Türktrust can sign a certificate for a *.gov and .*mil domain? Or why Spanish CA issued a wildcard *.google.com to someone, please?
Limiting that to happen, should be a minimum short distance goal, implementation shouldn't be delayed many years but possibly starting from beginning 2015.
There are many ways to implement these. Adding OID's to root certificate stating policy TLD's which CA is authorized and then also verified from TLD controlling party DNS query asking RR's for that CA whether policy is current and not revoked. The protocol could be lightweight DNSCurve for example. But like I said, there are many ways doing it. Hardest one to solve would be those where no connection exist to network before offered certificate, such as 802.1x/EAP, without chicken-and-egg problems.
IMHO, now founded new work group should concentrate longer period development, but first things first. The big gaping hole in current implementation should be fixed ASAP.
Two years ago a post (Honest Achmed's Used Cars and Certificates) to apply root CA from Mozilla was funny, but not any more. The there are so many incidents with falsely issued certificates, even root certificates, that they could have admitted root to Achmed and his brother who knows few things about computers and situation wouldn't have been much worse by now.
join the group. I did. Most work done via mailing by raymorris · 2013-12-15 02:57 · Score: 5, Informative

This work is being done by IETF, the Internet Engineering Task Force, which is an open organization who does most of their work via their mailing list. Anyone can read the daily message archive or join. I was a member for several years and you too are welcome to lurk or join and be active.
The only caveat is please remember this is how Jon Postel, DJB, and others of similar skill get work done. Anything you post goes to the email of many of the internet's primary architects, so please read for a while first to get a feel for how the group works, then contribute in your area of expertise. When posting, you're working with the world's top experts on internet technology, so please keep that in mind.
Re:First things first, limiting CA's scope, please by mysidia · 2013-12-15 05:30 · Score: 2

Can someone, please, if they can justify why for example Türktrust can sign a certificate for a *.gov and .*mil domain? Or why Spanish CA issued a wildcard *.google.com to someone, please?
Personally; I would favor requiring Server certificates to be signed by a minimum of 3 CAs; perhaps by using a separate trust document file; "Third party CA a auxillary attestation of certificate trust".
The standard could then be --- at least two of the authorities must reside in different geographical jurisdictions. At least three of the attestations must be from authorities that have no business relationship with each other.
And: The user can specify a number of "points" to assign to each CA on a scale from 1 to 5; with a browser default value of 3 for major CAs such as Verisign.
If the score of the certificate is less than 8, or another value user-configured, then the cert is untrusted.
Vint Cerf by raymorris · 2013-12-15 06:43 · Score: 2

Vint Cerf is active with IETF, or was when I was.
When I was new, I very nearly publicly scolded him for posting off-topic. I composed a scolding email before realizing who I was scolding. When I saw that it was v.cerf@ I decided to let someone else, TB Lee or someone, do the scolding if necessary. That that I'm adverse to telling the emperor he has no clothes, but I was a total newbie, a baby compared to them, so I felt I should let the long-time members uphold their own code etiquette in the way they had established.
It was actually Cerf I was thinking of when I wrote Postel, but I'm sure Postel probably was, or would have been, a member.
IETF was good for me in the same way that LKML is. I have a pretty big ego and working with Cerf and people like that helps keep me right-sized. I'm reminded that I'm neither a big shot nor a newbie, but just another guy with some arbitrary level of ability. I know more than some people and I know less than some people. When I start to think I'm an expert, a look at my inbox reminds me that on any topic there are at least a hundred people more expert than I.