- From: Adrien de Croy <adrien@qbik.com>
- Date: Thu, 14 Nov 2013 23:02:51 +0000
- To: "Mike Belshe" <mike@belshe.com>, "Tao Effect" <contact@taoeffect.com>
- Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
- Message-Id: <em5097f53d-2b0b-48bb-854c-c2588fd2dea7@bodybag>
------ Original Message ------ From: "Mike Belshe" <mike@belshe.com> >One of the things that the IETF does with all new standards is to build >multiple, working implementations. This was done as part of the TLS >development as well as HTTP. So the IETF has built a new from-scratch TLS implementation that is freely usable? What's it called? How can we predict how secure that will be? > > >Rob T could comment further, but I don't believe the windows TLS stack >has much (any?) OpenSSL in it. Sure, it's hard to tell whether Schannel is easier to use than OpenSSL or not though. And a quick view through windows update history shows enough security patches related to schannel to bolster a complexity argument. Glad to learn about NSS though. We will look further into that. Of the other implementations mentioned, only relatively few have a license that many commercial software companies could or would use. Unless people have previous negative experience with a free license implementation, they would probably choose it over a commercial license. Lack of patronage of an implementation would lead to security concerns as well. > >It shouldn't be a surprise that there are fewer TLS implementations >than HTTP implementations - complexity aside, HTTP is much larger than >TLS today. But, if HTTP uses it more, we should see that go up over >time. I don't really understand what you mean here. You mean HTTP is more used than TLS? I'd agree with that. You're saying you expect to see more implementations? More heterogeneity is a good thing IMO. At the moment though I do think OpenSSL would have enormous coverage, and changing out TLS library is unlikely to be a simple matter for existing OpenSSL users. So there will be a lot of inertia, and a lot of continued use of OpenSSL, if only on the server-side. > >I disagree that we glossed over these issues. I didn't see them discussed on list, but I may have missed it. Adrien > >Mike > > > >On Thu, Nov 14, 2013 at 1:58 PM, Tao Effect <contact@taoeffect.com> >wrote: >>Yeah... thanks for bringing that up. >> >>The sad thing is that OpenSSL is already basically everywhere (from >>what I can tell). >> >>I think it might be in all the major browsers, is that correct? >> >>And it's in Apache (via mod_ssl), and most of the other servers that >>exist, is that correct too? >> >>I'd like to see a pie chart of OpenSSL usage in the top used web >>servers and top used browsers. Anyone know of one? >> >>Then there's the "OpenSSL is written by monkeys" problem: >> >>http://www.peereboom.us/assl/assl/html/openssl.html >> >>The situation appears to be that we're using a crypto library, written >>(allegedly) by monkeys, in C, and only a handful of people and/or >>monkeys have actually looked at the code. >> >>Additionally, C, and just about all its variants, makes it remarkably >>easy to write insecure code (by accident), and easy to write malicious >>code that can sit right in the open and not be noticed those working >>with the code: >> >>https://en.wikipedia.org/wiki/Underhanded_C_Contest >> >>It's not a new problem though... it's been with us "since like >>forever." You've probably been pwn'd and haven't realized it. :-p >> >>- Greg >> >>-- >>Please do not email me anything that you are not comfortable also >>sharing with the NSA. >> >>On Nov 14, 2013, at 4:35 PM, Adrien de Croy <adrien@qbik.com> wrote: >> >>>Hi all >>> >>>one of the things that has been troubling me about the mandatory TLS >>>discussion, that I don't recall having seen discussed here is the >>>issue of the implicit assumption that it's free or low-cost to >>>include TLS into a product due to the availability of open source >>>implementations. >>> >>>I think that assumption needs looking into a bit further. >>> >>>I'm going to go out on a limb here, and speculate, that if TLS were >>>to become mandatory in HTTP/2 that the vast majority of implementers >>>would choose OpenSSL for the TLS implementation. >>> >>>That immediately raises a number of issues. >>> >>>1. Homogeneity and therefore susceptibility to exploits having >>>effectively global reach. >>>2. Maintainability of the source >>> >>>A related issue is the complexity argument which I also haven't seen >>>put here. >>> >>>TLS is complex. The crypto is complex. Implementations of TLS with >>>the cipher suites contain at least many hundreds of thousands of >>>lines of code. Most of it fairly impenetrable from what I've seen >>>sorry to say. >>> >>>Compared with an implementation of an HTTP stack, a TLS >>>implementation completely dwarfs it for complexity and amount of >>>code. Since these things are not maintained by infallible aliens >>>but us mere mortals, there will be bugs. >>> >>>OpenSSL in my experience has had many troubles with vulnerabilities >>>and stability. And it's an enormous undertaking for someone to >>>fathom the code to attempt any maintenance on it at all. >>> >>>Does this mean, that if we made TLS mandatory, that effectively we >>>would be placing the security of the web in the hands of the OpenSSL >>>contributors. I think it effectively does. >>> >>>This is an EXTREMELY disturbing thought. The security of the >>>systems associated with maintenance and deployment of OpenSSL are not >>>at a sufficient level to warrant this level of global reliance. My >>>own experience with OpenSSL has not been without serious problems, >>>and in fact we've looked to ditch it many times and may still do. >>> >>>I don't think it is realistic to expect that http agent (server or >>>client) developers will put much effort at all into maintenance of >>>the TLS library. So maintenance will remain the domain of the few >>>contributors. >>> >>>Too many eggs in too few baskets. >>> >>>Adrien >> >
Received on Thursday, 14 November 2013 23:02:48 UTC