Re: [TLS] Simple way to drop re-negotiation in HTTP (Re: draft-rescorla-tls-renegotiate.txt)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Simple way to drop re-negotiation in HTTP (Re: draft-rescorla-tls-renegotiate.txt)

To: Marsh Ray <marsh at extendedsubset.com>
Subject: Re: [TLS] Simple way to drop re-negotiation in HTTP (Re: draft-rescorla-tls-renegotiate.txt)
From: Nicolas Williams <Nicolas.Williams at sun.com>
Date: Mon, 9 Nov 2009 11:55:35 -0600
Cc: "tls at ietf.org" <tls at ietf.org>
Delivered-to: tls at core3.amsl.com
In-reply-to: <4AF50CFD.7070705 at extendedsubset.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200911061959.nA6JxnnB001831 at fs4113.wdf.sap.corp> <4AF497C5.5060801 at REDHAT.COM> <4AF4A091.3070609 at pobox.com> <4AF4B423.2000309 at extendedsubset.com> <20091106234757.GN1105 at Sun.COM> <4AF50CFD.7070705 at extendedsubset.com>
User-agent: Mutt/1.5.7i

On Sat, Nov 07, 2009 at 12:00:29AM -0600, Marsh Ray wrote:
> Nicolas Williams wrote:
> > The simplest way to drop re-negotiation in web servers is this (based on
> > an idea by Nelson Bolyard):
> 
> Wow that does make it sound easy. All we need to do for HTTPS is get a
> new port number assigned and the entire burden of the solution passes
> from the TLS specs to server implementors and site admins?

[Complaints that new port numbers for this are not really feasible
elided.]

For services inside a firewall this would be simple enough.  For all
others one may split the public vs. for-authenticated-users services
across multiple IP addresses rather than port numbers; this is [much?]
harder to automate.

But you convince me that this is not realistic.  To properly automate
this would require... software updates, which is pretty much what we
need to fix the bug in the first place; if this workaround is not
automated, then it won't be deployed.  Must likely, as you say, the
world will sit in the vulnerable state for a long time.  Very
unfortunate, that.

Nico
--

References:
- Re: [TLS] draft-rescorla-tls-renegotiate.txt
  - From: Martin Rex
- Re: [TLS] draft-rescorla-tls-renegotiate.txt
  - From: Robert Relyea
- Re: [TLS] draft-rescorla-tls-renegotiate.txt
  - From: Michael D'Errico
- Re: [TLS] draft-rescorla-tls-renegotiate.txt
  - From: Marsh Ray
- [TLS] Simple way to drop re-negotiation in HTTP (Re: draft-rescorla-tls-renegotiate.txt)
  - From: Nicolas Williams
- Re: [TLS] Simple way to drop re-negotiation in HTTP (Re: draft-rescorla-tls-renegotiate.txt)
  - From: Marsh Ray

Prev by Date: Re: [TLS] Implementing https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegot iate.txt
Next by Date: Re: [TLS] Implementing https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegot iate.txt
Previous by thread: Re: [TLS] Simple way to drop re-negotiation in HTTP (Re: draft-rescorla-tls-renegotiate.txt)
Next by thread: Re: [TLS] draft-rescorla-tls-renegotiate.txt
Index(es):
- Date
- Thread

Re: [TLS] Simple way to drop re-negotiation in HTTP (Re: draft-rescorla-tls-renegotiate.txt)

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.