Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 17 Oct 2014 16:41:33 -0700
From: Tim <tim-security@...tinelchicken.org>
To: oss-security@...ts.openwall.com
Subject: Re: attacking hsts through ntp

Hi Phil,

> That's called "DANE" and it uses TLSA records in DNS.  It's slowly
> bootstrapping into use in SMTP and server-server XMPP as an
> opportunistic TLS latch, providing the correct trust anchors too.
> 
> Various feature-request bugs against browsers have eventually gotten
> closed as will-not-fix or equivalent, because verified DNSSEC is not
> seen as something which is likely to be widely deployed in clients;
> there's a chicken/egg problem here.
> 
> By contrast, servers are more likely to be placed with care and
> attention to DNS resolution, so someone running an SMTP or XMPP server
> who wants to use DANE can fix their DNS setup, once.  So it's seeing
> more use there.  Postfix has DANE support; Exim has it as an
> experimental feature (which just means that the API might change); the
> Prosody XMPP client can be set up to use DANE.
> 
> (For clarity: the server/receiver side of any connection requires no
> code changes to support DANE, although having SNI support probably
> helps; the initiator which verifies the peer is the only one which needs
> changes, but they're currently ugly ones).

Sure, I read up on this a while ago, but wasn't sure if it was
catching on.  Thanks for the update.


> You're ignoring the attack vectors against DNSSEC.

Yes, true, but this is no different than the current situation with
TLS.  Why bother subverting DNSSEC in order to remove HSTS-like
controls, and then downgrade from HTTPS->HTTP in order to get at the
traffic, when you can just get at the TLS traffic directly by
subverting that PKI?

In order to address the nation-state scenario, I think we need the
ability to apply multiple signatures to the same server key.  If a CA
in Israel and a CA in Iran both signed the same key, what are the
chances of collusion?  One way to achieve multiple signatures would be
to leverage DNSSEC and stuff fingerprints in signed DNS records,
leveraging two separate PKIs for the same TLS keys.  I'd be interested
to know if you know of any attempts to do this already.

cheers,
tim

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.