SAAG @ IETF99 Notetakers: Carsten Bormann, Chris Inacio Thursday 1400, Potsdam III Time - Slot 00-10 - Agenda bash & WG status Note: summaries for each WG sent to SAAG list and/or posted in datatracker for that working group. Those listed here did not send in report prior to the SAAG session. abfab finished work, to be closed lamps to look at maintenance of S/MIME, tightly scoped oauth two meetings this week, two WGLCs started: current best practice document is getting worked updating (???) document tokbind trying to wrap up, wording on some final documents IAB - has security / privacy program working on some mitigations documents in the report Paul Hoffman dbound likely never going to meet, not enough consensus dpriv - didn't meet, but other working groups tackling most of the work 11-80 - Talks (70) -- TRON workshop & prize-winner, Karen O'Donoghue/Tibor Jager (15) Symposium Feb 2016, "TLS ready or not", bring researchers together (What is the next topic for which we need such a workshop?) Hannes - oauth workshop last week similar to the "TLS ready" workshop call for workshop is out for similar workshops ACM CCS -- Security of TLS 1.3 against PKCS#1 v1.5 vulns (deprecated in TLS 1.3 -- vulnerable against Bleichenbacher attacks (1998)) does that help? No... MITM with 1.3 client can use 1.0 interface of server to forge CertVerify DROWN attack, USENIX Sec. 2016: forge sig in 1 min, using additional vuln on OpenSSL versions up to early 2015 Cannot perform key separation on certs as those don't bear a TLS version number. (Servers don't seem to support that anyway.) Paul Wouters (RedHat) - Need to get HSM vendors on board as well Rob Augstein - adding extension to X.509, not difficult, hard part is getting people to use it Yoav Nir: - other hard part is getting CAs to issue two certificates at the same time for the same thing Victor - perhaps proxy certs would help Hanno Böck - two options: (1) get rid of RSA-PKCS#1 v1.5 (2) key separation might work getting rid of RSA keys Tibor: hard to analyze interdependencies between dozens of different algorithms -- better to separate the keys between them -- Port Scanning and WebSockets Tom Gallagher (15) Once a single device browses to an attacker-controlled website, that can scan the network JavaScript can make same-origin requests, can time responses (Browsers block some ports; throttle port scanning) Alex Manford - can I register hostnames in same-origin that point to local addresses? Richard Barnes: Subdomains aren't same-origins, so that doesn't work, but might be able to tweak it to work Would take about 208 days with throttling to map out entire space; but most attackers don't likely need to do this because of the common clustering of usual services on most networks. Might take months to map out network, against multiple users on the same domain Can speed up the attack with HTML5 with WebSocket & WebWorker Mitigation: Report all errors at fixed (increased) latency, so latency can be no longer used to distinguish the cases. (Impacts only apps that were already somewhat broken.) draft-gallagher-hybiwebsocketenhancement-00.txt Flemming Andreasen - issues on latency doesn't matter; but it does matter for connectivity checking, it is used today to determine which method for WebSockets will actually work Patrick McManus: This is useful. This is how failover is done, so it does matter for performance. XHR(?) the larger set of things this applies too : what PAtrick said Victor: teach the browser bounda Richard Barnes: discussion about ... might impact legacy stuff; hard to determine internal vs. external in all cases; working happening in W3C on topic -- ITU-T SG/17, Vasily Dolmatov (10) -- GCM nonce reuse bugs as an example of easy to misuse crypto constructions" Hanno Bock/Aaron Zauner (30) Kenny Paterson - last sentence says the last line (a MAY) to use a counter, should be a MUST? Would look to get more testing for these types of issues; make implementations more robust. Fernando Gont: We authored a document on the generation of IDs 81-100 - Process stuff (20) -- Update on censorship draft, Joseph Lorenzo Hall (10) https://datatracker.ietf.org/doc/draft-hall-censorship-tech/ Stephen: How many would find this useful as an RFC? -> Lots -- 3552bis Yoav Nir/Magnus Westerlund (10) No draft yet Barry Leiba: In APP, we had list of things needed is on a Wiki page. Maybe you have a hot issues Wiki Paul Hoffman: MUST and SHOULD should not appear in sec cons sections, unless they already appeared earlier. Put this in before 00? (Yes) Rich Salz: Thanks, this was way overdue. Wendy Selzer: Thanks, looking forward to coordinating what we bring to W3C Web Security Stephen: Who will read this? -> many Stephen: I would love if this one came out shorter Kathleen: But do the right thing 101-120 - open mic (20) Kathy Barnes - Cryptech website (cryptech.is) had the cryptech workshop before the IETF meeting. Opensource HW & SW HSM development. Matt Miller - LEDGER BoF right after next session. Cryptographic ledgers to track assets. Victor: DNSSEC servers that fail badly at denial of existence -- that will make mail fail; please make sure that your DNSSEC servers aren't ten years old. Yaron Sheffer: RFC???? -- If you have an implementation... Stephen - Security AD opening, consider volunteering or at least volunteer for NOMCOM, see Lucy for NOMCOM.