[jdev] manifesto & DANE does not cut it
dave at cridland.net
Fri Nov 15 10:30:43 UTC 2013
On Fri, Nov 15, 2013 at 9:30 AM, Ralf Skyper Kaiser <skyper at thc.org> wrote:
> No. The user has to trust ALL keys and not just the single ROOT KEY. The
> user has to trust:
> 1. The key was generated securely (enough bits, good primes, ...)
> 2. A good RNG was used (hi debian! Thanks for a bad RNG).
> 3. The key is not leaked (on purpose) by _any_ of the admins in the domain
> 4. The key is stored securely and not stolen
> 5 . ...This list is incomplete...and goes on and on.
Excellent... So we'll run through a first-time connect without DANE, and
with just pinning.
> Maybe this example gives a better idea:
> User in Iran. Jabber admin sets up a jabber server at
OK. So no change here.
> The user has to trust ROOT (domain "."). ROOT is ultimately geopolitically
> aligned with the US.
Again, no change. Still got the trust the DNS, after all. Of course, Iran
could run their own root, and frankly nobody would know without DNSSEC. So
it's really hard to tell if the root you're querying is actually the one
geopolitically aligned with the US or not.
> The user has to trust .IR. That's ultimately the Iranian government.
So here's a thing - this assumes the user is also in Iran. But without
DNSSEC, you have to trust both your local authority and the domain owner.
In your scenario, though, they're the same thing, so we can skip this,
> The user has to trust MY-UNIVERSITY.IR (which is ultimately aligned with
> Mr. Khomeini)
Likewise... Though I'm pretty sure Khomeini hasn't been around for a while.
> The user has to trust MYJABBERSERVER.my-university.ir which is the actual
> jabber server admin.
OK. Small note there, actually. You also have to trust any authority over
your IP connectivity at this point, plus spoofing DNS is relatively easy
without DNSSEC, so you're basically trusting *everyone*. Which just makes
you a nice guy, right? Can I borrow €1,000?
> That really sounds like a great idea! Unless of course
> 1. You are a gay person in Iran
> 2. An Atheist in Saudi Arabia (or a women)
> 3. Leonardo da Vinci and dare to suggest that the earth is round
> 4. A black person wishing to sit in the front row of a bus
> 5 ...
Typically, sarcasm is used to posit something that is clearly the opposite
of what you intend, by the way. Aside from "That really sounds like a great
idea", I'll assume that the remainder of the argument you state above is,
you believe, valid.
> DANE does not protect any of the above people.
It protects them significantly better, and from a greater number of attacks
(and attackers), than self-signed certificates and pinning-only.
> DANE just does not cut it. Not in a Post-Prism world.
I have *no* idea what Prism has to do with this. Really.
The only thing you need to defeat pervasive surveillance alone, which is a
fundamentally untargetted attack, is to deploy some kind of encryption. ADH
is fine for that.
We're trying to solve an authentication problem.
> Certificate Pinning does.
Ah, but wait, because there's two additional steps you've skipped.
With DANE, the user's client now knows something important - assuming it
can trust the relevant delegation points, of course - it knows the address
(via DNSSEC) and it also knows what to expect from the certificate (the CA,
or certificate itself). These are good and useful things to know.
With pure pinning and self-signed certificates, it knows nothing it can
trust. It cannot trust the IP address, nor the certificate. Your argument
is that a user should then trust these anyway, and bootstrap from there.
The trouble is the attacker has much more scope to mount the initial
attack, and once done it's fairly nicely self-sustaining - in fact, if they
stop the attack, it'll appear as if the legitimate server is the attacker.
I have no clue how to extricate the user at this point.
I don't think anyone would claim that DANE is utterly proof against any
form of attack, but your argument seems to be that because it's not
perfect, we should instead use something worse.
Critically, the argument "but nobody will attack the initial connect, it
works with SSH" is entirely flawed, as every attack possible is magnitudes
harder with DNSSEC and/or DANE.
Also, you're welcome to use pinning *and* DANE. If you can figure out what
takes precedence in the case of a mismatch.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the JDev