Fixing SSL (was Re: Dutch Transport Card Broken)
Dan Kaminsky
dan at doxpara.com
Fri Feb 1 04:07:19 EST 2008
>> (as if anyone uses client certificates anyway)?
>>
>
> Guess why so few people are using it ...
> If it were secure, more people would be able to use it.
>
>
People don't use it because the workload of getting signed up is vastly
beyond their skillset, and the user experience using the things is
pretty bad too.
> And there are hundreds of internal systems I heard of that are using client
> certificates in reality every day.
>
There's always a few people using a technology. It's certainly a
nonplayer out there. Probably more servers out there authing with
Digest, honestly.
> Validated email addresses for spamming. Spear-phishing perhaps, ...
>
>
> There are CA´s on this planet that put things like social security numbers
> into certificates.
>
>
Who? Seriously, that's pretty significant, I'd like to know who does this.
> Where does the SSL specification say that certificates shouldn´t contain
> sensitive information? I am missing that detail in the security consideration
> section of the RFC.
>
The word "public" in Public Key isn't exactly subtle.
> Do we have any more ideas how we can get this flaw fixed before it starts
> hurting too much?
>
Make it really easy to use some future version of SSL client certs, and
quietly add the property you seek. Ease of use drives technology
adoption; making the tech actually work is astonishingly secondary.
Heh, you asked :)
> We have an issue here. And the issue isn´t going to go away, until we
> deprecate SSL/TLS, or it gets solved.
>
To be clear, we'd *have* an issue, if any serious number of people used
SSL client certs. I think you have a point that if SSL client certs
become very popular going forward, then every website you go to will
quietly grab your identity through their ad banners.
> * We fix SSL
> Does anyone have a solution for SSL/TLS available that we could propose on the
> TLS list?
> If not: Can anyone with enough protocol design experience please develop it?
>
What solution could there be? You're actually going to SSL to the
banner ad network, and you're going to give them your client cert.
> * We deprecate SSL for client certificate authentication.
> We write in the RFC that people MUST NOT use SSL for client authentication.
> (Perhaps we get away by pretending that client certificates accidently slipped
> into the specification.)
>
People by in large do not use SSL client cert authentication. This is
problematic, as there's some very nice cryptographic aspects of the system.
> * We switch from TLS to hmmm ... perhaps SSH, which has fixed the problem
> already.
> Hmm, there we would have to write all the glue RFCs like "HTTP over SSH"
> again ...
>
I used to code for SSH. SSL is an entire top-to-bottom stack, replete
with a deep PKI infrastructure. SSH? Tunneling transport, barely even
librarized.
> Try to send a DVD iso image (4GB) over a SSL or SSH encrypted link with bit
> errors every 10000 bits with a client software like scp that cannot resume
> downloads. I gave up after 5 tries that all broke down in average after 1 GB.
> (In that case it was a hardware (bad cable) initiated denial of service
> attack ;-)
>
The problem here isn't checksums. SSH is notoriously buggy when packets
are dropped. I think there are certain windows in which OpenSSH assumes
it will get a response. If it doesn't, it just dies. So, outages more
than a few hundred milliseconds have a small percentage chance of
causing the session to permanently stall.
"Corrupted MAC on input" -- this is a decent sign of corruption at the
app layer.
Did you really try this with OpenSSL? I've had much better luck there.
> If the link layer gives you 1/256, and the TCP layer gives you 1/65536, and
> the SSL layer demands 0/16777216, then end up with 1/16777216 too much.
>
>
Actually, 256*65536 = 1677216 :) In actuality, you have both IP and TCP
checksums. So you get 8 bits from link, 16 bits from IP, and 16 bits
from TCP. A random corrupt packet has about 2^40 odds of getting through.
Of course, one real problem is that the checksum algorithms don't
exactly distribute noise randomly, and noise is not random. Still,
corruption doesn't start being a problem until you get some pretty
serious amounts of transfer. (Interestingly, I've been looking at IPsec
lately, not for encryption, but for better checksumming.)
> Best regards,
> Philipp Gühring
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list