LibreSSL languishes on Linux

Posted Jan 5, 2021 9:17 UTC (Tue) by tialaramex (subscriber, #21167)
In reply to: LibreSSL languishes on Linux by flussence
Parent article: LibreSSL languishes on Linux

If you want to blame somebody for the fact that HTTP out of the box wasn't secure, I recommend blaming Tim.

Do you have an example of "most protocols that aren't built on 1960s tech" which can deliver the three things TLS offers: Authentication, Confidentiality, Integrity - for the public Internet and in a way that's "automatic and frictionless" ?

RFC 8446 seems to me to be a relatively small document, you certainly couldn't implement it in a weekend, but aside from the very strange spelling of the protocol (e.g. HelloRetryRequest is spelled as a ServerHello) which we can blame firmly on middeboxes, it's extremely intuitive and I was very pleased with how elegant it is.

LibreSSL languishes on Linux

Posted Jan 5, 2021 12:27 UTC (Tue) by Lennie (subscriber, #49641) [Link] (1 responses)

IETF and everyone involved because of past experiences have figured out that simplicity is very important and the number of extension need to be kept in check. Previous versions definitely were not as simple. The same goes for example for IPSEC. My guess is their is now also a much better understanding of what these protocols need to support instead of adding features later.

LibreSSL languishes on Linux

Posted Jan 5, 2021 20:35 UTC (Tue) by tialaramex (subscriber, #21167) [Link]

I don't think it's correct to say that "number of extension need to be kept in check". The concern was around the core primitives, you probably don't need eight different block ciphers whose main distinguishing feature is which major world power sponsored their development, you don't need to keep obsolete and arguably unsafe key exchange methods available just because it suits a few implementers, and so on. But the extensions have, if anything, multiplied.

The nice thing is that (within their assumptions†) the correctness proofs don't care about extensions. If you use certificate compression (forthcoming TLS 1.3 extension) or flags (likewise) or even Encrypted Client Hello (far more radical, but ultimately expressed as an extension) you keep all the behaviours that were proved, because the proof doesn't care.

† And there's a crack. For example the only known TLS 1.3 attack "Selfie" depends on an unstated assumption of the proof. The proof assumes PSKs are singular, if Alice and Bob each run both a TLS client and a server secured just by PSK, they actually need _two_ PSKs, the Alice->Bob key and the Bob->Alice key. But this assumption isn't spelled out. Lacking such explicit warning you might assume one Alice+Bob key will get the job done, then Mallory redirects Alice's call to Bob back to Alice, Alice's client assumes she's talking to Bob and mistakes her own answers for Bob's. Does that blow up your security? Alas RFC 8446 as written does not warn you that this would happen and what countermeasures you should use to avoid it.

LibreSSL languishes on Linux

Posted Jan 5, 2021 13:51 UTC (Tue) by shaded-enmity (guest, #119983) [Link] (1 responses)

> If you want to blame somebody for the fact that HTTP out of the box wasn't secure, I recommend blaming Tim.

I don't understand the logic behind this argument. The boom of the internet wasn't about things being secure, but about things being connected and accessible. You can't have your cake and eat it too.

LibreSSL languishes on Linux

Posted Jan 5, 2021 14:40 UTC (Tue) by smoogen (subscriber, #97) [Link]

Then you are in agreement with the poster you quoted. They just used a different way of stating it.

LibreSSL languishes on Linux

Posted Jan 5, 2021 14:48 UTC (Tue) by flussence (guest, #85566) [Link] (5 responses)

My point is RFC 8446 is not a standalone document. If you implement code for everything in there but stub out the parts regarding certificates then you've done probably 5% of the work needed to interoperate.

LibreSSL languishes on Linux

Posted Jan 5, 2021 20:55 UTC (Tue) by tialaramex (subscriber, #21167) [Link] (4 responses)

Firstly this doesn't seem responsive to the question. I asked for an example, and what I see here is an excuse. I think this is because you do not have such an example, that in fact "most protocols" do not deliver what you claimed after all.

Secondly, RFC 8446 is designed to work fine without certificates. You get a complete working system, including forward secrecy. However in this model you'll need to agree Pre Shared Keys with every single server you want to talk to (and they should agree separate keys with each of their clients). This might be nice for a system that connects speakers in each room of your home over WiFi to a central music playing device for example, but it's not viable for visiting arbitrary web sites.

The need for a PKI (and thus Certificates) happens when you'd like (as we do) to securely authenticate any system connected to the Internet. And this isn't out of some weird fetish for as you say 1960s technology, we simply do not know any alternatives that actually work. The usual claims are either that TOFU is "good enough" (good enough that you'll get exploited and never know it, perhaps) or that the Web of Trust works at scale (it does not).

LibreSSL languishes on Linux

Posted Jan 5, 2021 22:38 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link] (3 responses)

PKI is fine, it's just that distributed PKI is not fine. Way too many points of failure.

Instead we should have pushed DNSSEC-based security, this way you only need to trust you domain name registrar instead of ALL three hundred or so certificate issuers in all kinds of jurisdictions.

LibreSSL languishes on Linux

Posted Jan 6, 2021 2:20 UTC (Wed) by NYKevin (subscriber, #129325) [Link] (2 responses)

You don't have to trust the CAs. Certificate Transparency is mandatory for a cert to be accepted by Chrome (at least), and the CA/B will absolutely drop CAs that issue bogus certs. Delisting is an existential risk for a CA, and they are going to fight tooth and nail within whatever process exists in the local jurisdiction to prevent it from happening.

The other problem is that the system you are describing already exists. It's called DANE, and the basic difficulty with it is that a surprisingly large number of users are (or were) using an amazingly bad DNS resolver that can't even look up a simple TXT record, let alone pull down an entire X.509 certificate.[1] Also, there are crypto issues (which I don't pretend to understand).

[1]: https://www.imperialviolet.org/2015/01/17/notdane.html

LibreSSL languishes on Linux

Posted Jan 6, 2021 2:28 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

> You don't have to trust the CAs. Certificate Transparency is mandatory for a cert to be accepted by Chrome (at least), and the CA/B will absolutely drop CAs that issue bogus certs.
You still can work around it by issuing backdated certificates. I think that window is going to close in 2 years, though.

> It's called DANE
I know about DANE, it's not a solution. A more realistic solution is DNS stapling, basically instead of the regular X509 the certificate the server supplies the DNSSEC-signed replies all the way up to the root zone. The client then just validates the signature chain.

LibreSSL languishes on Linux

Posted Jan 6, 2021 8:22 UTC (Wed) by tialaramex (subscriber, #21167) [Link]

> You still can work around it by issuing backdated certificates. I think that window is going to close in 2 years, though.

For Chromium the relevant code is published: https://source.chromium.org/chromium/chromium/src/+/maste... look at lines around 950 or so

There are four epochs we care about:

1. Ancient history, before there were any rules at all, Chromium arbitrarily assumes certificates must not have had lifetimes exceeding ten years. Did any certificates actually do that? Maybe, but they've never worked in Chrome, so we can assume they're not used. This epoch ended in 2019, and so is now irrelevant

2. The original Baseline Requirements began in July 2012 and allow 60 months (which is to say, five years) for grandfathered scenarios. However in April 2015 this rule changed, so the last such certificate expired last year, in April 2020.

3. The "modern" Baseline Requirements from April 2015 allow 39 months in all cases. This regime ended by consent in March 2018. So the last such certificate expires 1188 days after that at the end of May 2021, almost five months from now.

4. The last such consensual BR amendment in March 2018 allows 825 days. This ended de facto in September 2020. So the last such certificate expires 825 days later, in December 2022. _However_ the CT enforcement rules start May 2018. So a "backdated" certificate issued under this regime has to be prior to May 2018, which means it expired during or before August 2020, last year.

Thus, as you can see, the only backdating option that could mechanically work is a certificate which claims it was issued in late 2017 or early 2018 and expires before end of May 2021.

It is extremely unlikely that such certificates have been created after the CT deadline or will be made in the next few months. If detected they would likely result in the issuing CA being distrusted, yet their practical value to a subscriber is minimal compared to just getting a CT logged certificate.

But if you're concerned anyway and can't wait until June this year simply modify Chromium source to always require SCTs. In practice there likely won't be any sites you use that are still relying on this very narrow exclusion window to function, by February 2018 most vendors were giving unsophisticated subscribers certificates with SCTs baked in already and 1188 days is the very maximum allowable, most certificates will have had far shorter lifespans.

LibreSSL languishes on Linux

Posted Jan 7, 2021 10:45 UTC (Thu) by Karellen (subscriber, #67644) [Link] (3 responses)

If you want to blame somebody for the fact that HTTP out of the box wasn't secure, I recommend blaming Tim.

As someone who has issues with Tim due to his stance on EME and other user-hostile additions to recent web specs, I find this a bit harsh. HTTP is clearly modelled on similar protocols of the era, like FTP, SMTP and NNTP, all of which were similarly insecure. Tim was copying standard network protocol practices of the time, and adding encryption to early HTTP specs would have been a mammoth task for one person's personal project. Especially if they probably didn't have extensive cryptographic experience, and for a protocol that no-one at the time could have predicted would be as important and ubiquitous as it eventually turned out to be.

LibreSSL languishes on Linux

Posted Jan 7, 2021 11:49 UTC (Thu) by geert (subscriber, #98403) [Link] (2 responses)

Exactly. In those days, everybody was well-behaving on the Internet. People logged in to remote systems using telnet and rlogin, ran commands on remote systems using rsh, and used "xhost +" to interact graphically with programs running on remote systems.

After one-too-many pranks, the latter was quickly replaced by custom scripts calling xauth and copying over magic cookies to remote systems.
As network sniffing increased, people started to worry about security. Fortunately ssh (incl. -X) arrived, making most of the above issues moot.
But the WWW was still (mostly) limited to plain HTTP...

LibreSSL languishes on Linux

Posted Jan 7, 2021 13:15 UTC (Thu) by pizza (subscriber, #46) [Link] (1 responses)

> But the WWW was still (mostly) limited to plain HTTP...

Don't forget that at the time, there were some very real legal issues with respect to strong encryption.

LibreSSL languishes on Linux

Posted Jan 7, 2021 13:20 UTC (Thu) by geert (subscriber, #98403) [Link]

Oh right, I almost forgot about the need to publish the book "PGP Source Code and Internals", as a way to bypass limitation of exporting digital code (https://en.wikipedia.org/wiki/Phil_Zimmermann#PGP)