Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Sorry State of SSL @ EuroPython 2014

The Sorry State of SSL @ EuroPython 2014

TLS is the best technology we have for securing our communications. It comes with many sharp edges though. This talk tries to jumpstart a rough understanding.

Hynek Schlawack

July 22, 2014
Tweet

More Decks by Hynek Schlawack

Other Decks in Technology

Transcript

  1. THE SORRY STATE OF SSL
    Hynek Schlawack

    View Slide

  2. @hynek
    https://hynek.me
    https://github.com/hynek
    Guten Tag!

    View Slide

  3. View Slide

  4. https://www.variomedia.de

    View Slide

  5. View Slide

  6. View Slide

  7. View Slide

  8. ONLY LINK
    ox.cx/t

    View Slide

  9. WTF

    View Slide

  10. WTF
    SSL

    View Slide

  11. WTF
    SSL
    & TLS

    View Slide

  12. TIMELINE

    View Slide

  13. TIMELINE
    1995: Secure Sockets Layer 2.0, Netscape

    View Slide

  14. TIMELINE
    1995: Secure Sockets Layer 2.0, Netscape
    1996: SSL 3.0, still Netscape

    View Slide

  15. TIMELINE
    1995: Secure Sockets Layer 2.0, Netscape
    1996: SSL 3.0, still Netscape
    1999: Transport Layer Security 1.0, IETF

    View Slide

  16. TIMELINE
    1995: Secure Sockets Layer 2.0, Netscape
    1996: SSL 3.0, still Netscape
    1999: Transport Layer Security 1.0, IETF
    2006: TLS 1.1

    View Slide

  17. TIMELINE
    1995: Secure Sockets Layer 2.0, Netscape
    1996: SSL 3.0, still Netscape
    1999: Transport Layer Security 1.0, IETF
    2006: TLS 1.1
    2008: TLS 1.2

    View Slide

  18. 2013

    View Slide

  19. 2013
    • newfound scrutiny

    View Slide

  20. 2013
    • newfound scrutiny
    • browsers add TLS 1.2

    View Slide

  21. 2013
    • newfound scrutiny
    • browsers add TLS 1.2
    • just using TLS not enough

    View Slide

  22. TLS

    View Slide

  23. TLS
    • identity

    View Slide

  24. TLS
    • identity
    • confidentiality

    View Slide

  25. TLS
    • identity
    • confidentiality
    • integrity

    View Slide

  26. TLS HYGIENE

    View Slide

  27. SERVERS

    View Slide

  28. 1.0.1c
    2.4.0
    1.0.6 or 1.1.0
    • OpenSSL >=
    • Apache >=
    • nginx >=
    BE UP-TO-DATE

    View Slide

  29. • OpenSSL >=
    • Apache >=
    • nginx >=
    1.0.1h
    2.4.9
    1.4.7
    BE UP-TO-DATE

    View Slide

  30. CERTIFICATES
    • identity
    • validity

    View Slide

  31. CERTIFICATES
    • identity
    • validity
    • CA sig

    View Slide

  32. CERTIFICATES
    • identity
    • validity
    • CA sig

    View Slide

  33. CERTIFICATES
    • identity
    • validity
    • CA sig

    View Slide

  34. CERTIFICATES
    • identity
    • validity
    • CA sig

    View Slide

  35. CERTIFICATES
    • identity
    • validity
    • CA sig

    View Slide

  36. TRUST CHAIN

    View Slide

  37. TRUST CHAIN

    View Slide

  38. TRUST CHAIN

    View Slide

  39. CERTIFICATES
    • trust chain

    View Slide

  40. CERTIFICATES
    • trust chain
    • host name/service

    View Slide

  41. CERTIFICATES
    • trust chain
    • host name/service
    • already/still valid?

    View Slide

  42. DISABLE
    • SSL 2.0

    View Slide

  43. DISABLE
    • SSL 2.0
    • SSL 3.0 (if you can)

    View Slide

  44. DISABLE
    • SSL 2.0
    • SSL 3.0 (if you can)
    • TLS compression

    View Slide

  45. CIPHER SUITES

    View Slide

  46. CIPHER

    View Slide

  47. CIPHER
    Cipher

    View Slide

  48. CIPHER
    Cipher
    Plaintext

    View Slide

  49. CIPHER
    Cipher
    Plaintext

    View Slide

  50. CIPHER
    Cipher Ciphertext
    Plaintext

    View Slide

  51. Ciphertext
    CIPHER
    Cipher Plaintext

    View Slide

  52. CIPHER: MODE

    View Slide

  53. CIPHER: MODE
    • CBC

    View Slide

  54. CIPHER: MODE
    • CBC
    • stream ciphers

    View Slide

  55. CIPHER: MODE
    • CBC
    • stream ciphers
    • GCM

    View Slide

  56. ENCRYPTION: PREFER THIS

    View Slide

  57. ENCRYPTION: PREFER THIS
    AES128-GCM
    &

    View Slide

  58. ENCRYPTION: PREFER THIS
    AES128-GCM
    &
    ChaCha20

    View Slide

  59. ENCRYPTION: FALL BACK TO
    AES128-CBC

    View Slide

  60. ENCRYPTION:
    IF LIFE IS CRUEL TO YOU
    3DES-CBC

    View Slide

  61. ENCRYPTION:
    EOL

    View Slide

  62. ENCRYPTION: DANGEROUS
    • EXP-*

    View Slide

  63. ENCRYPTION: DANGEROUS
    • EXP-*
    • DES

    View Slide

  64. ENCRYPTION: DANGEROUS
    • EXP-*
    • DES
    • RC4

    View Slide

  65. ENCRYPTION: DANGEROUS
    • EXP-*
    • DES
    • RC4

    View Slide

  66. KEY EXCHANGE

    View Slide

  67. KEY EXCHANGE
    fast PFS
    RSA ✔️ ❌

    View Slide

  68. KEY EXCHANGE
    fast PFS
    RSA ✔️ ❌
    DHE ❌ ✔️

    View Slide

  69. KEY EXCHANGE
    fast PFS
    RSA ✔️ ❌
    DHE ❌ ✔️
    ECDHE ✔️ ✔️

    View Slide

  70. KEY EXCHANGE
    fast PFS
    RSA ✔️ ❌
    DHE ❌ ✔️
    ECDHE ✔️ ✔️

    View Slide

  71. INTEGRITY: MACS
    • Message Authentication Code

    View Slide

  72. INTEGRITY: MACS
    • Message Authentication Code
    • HMAC

    View Slide

  73. INTEGRITY: MACS
    • Message Authentication Code
    • HMAC
    • GCM

    View Slide

  74. HAVE THE LAST WORD

    View Slide

  75. YOU’RE DONE!

    View Slide

  76. YOU’RE DONE!
    (but test your results!)

    View Slide

  77. CERTIFICATE

    View Slide

  78. CERTIFICATE

    View Slide

  79. CERTIFICATE

    View Slide

  80. CERTIFICATE

    View Slide

  81. CERTIFICATE

    View Slide

  82. CERTIFICATE

    View Slide

  83. CERTIFICATE

    View Slide

  84. PROTOCOLS

    View Slide

  85. PROTOCOLS

    View Slide

  86. PROTOCOLS

    View Slide

  87. PROTOCOLS

    View Slide

  88. CIPHER SUITES

    View Slide

  89. CIPHER SUITES

    View Slide

  90. CIPHER SUITES

    View Slide

  91. CIPHER SUITES

    View Slide

  92. CIPHER SUITES

    View Slide

  93. CIPHER SUITES

    View Slide

  94. CIPHER SUITES

    View Slide

  95. CIPHER SUITES

    View Slide

  96. CLIENTS

    View Slide

  97. YOU HAD ONE JOB!

    View Slide

  98. YOU HAD ONE JOB!
    VERIFY!

    View Slide

  99. VERIFY THE CERTIFICATE!
    • valid?

    View Slide

  100. VERIFY THE CERTIFICATE!
    • valid?
    • trustworthy chain?

    View Slide

  101. VERIFY THE CERTIFICATE!
    • valid?
    • trustworthy chain?
    • correct hostname/service?

    View Slide

  102. TRUST CHAIN

    View Slide

  103. TRUST CHAIN
    • VERIFY_PEER

    View Slide

  104. TRUST CHAIN
    • VERIFY_PEER
    • trust stores OS dependent

    View Slide

  105. TRUST CHAIN
    • VERIFY_PEER
    • trust stores OS dependent
    • SSL_CTX_set_default_
    verify_paths

    View Slide

  106. SYSTEM CA
    • FreeBSD: ca_root_nss

    View Slide

  107. SYSTEM CA
    • FreeBSD: ca_root_nss
    • debian/Red Hat: ca-certificates

    View Slide

  108. SYSTEM CA
    • FreeBSD: ca_root_nss
    • debian/Red Hat: ca-certificates
    • OS X: TEA or homebrew

    View Slide

  109. SYSTEM CA
    • FreeBSD: ca_root_nss
    • debian/Red Hat: ca-certificates
    • OS X: TEA or homebrew
    • Windows: wincertstore

    View Slide

  110. SYSTEM CA
    • FreeBSD: ca_root_nss
    • debian/Red Hat: ca-certificates
    • OS X: TEA or homebrew
    • Windows: wincertstore
    • or: Mozilla/certifi

    View Slide

  111. HOSTNAME VERIFICATION
    OpenSSL to developers:

    View Slide

  112. HOSTNAME VERIFICATION
    OpenSSL to developers:
    LOL

    View Slide

  113. DON’T VERIFY TRUST CHAIN
    I can pretend to be Google with any
    self-signed certificate.

    View Slide

  114. DON’T VERIFY HOSTNAME
    I can pretend to be Google with any
    valid certificate.

    View Slide

  115. View Slide

  116. SET SOME OPTIONS
    • acceptable ciphers
    • disable SSL 2.0

    View Slide

  117. THAT’S ALL!

    View Slide

  118. USERS

    View Slide

  119. FUNDAMENTAL
    MISCONCEPTIONS

    View Slide

  120. FUNDAMENTAL
    MISCONCEPTIONS
    • no end-to-end security

    View Slide

  121. FUNDAMENTAL
    MISCONCEPTIONS
    • no end-to-end security
    • metadata

    View Slide

  122. VPN?

    View Slide

  123. VPN?
    • sees all your traffic

    View Slide

  124. VPN?
    • sees all your traffic
    • same for CDN

    View Slide

  125. CERTIFICATE WARNINIGS

    View Slide

  126. CERTIFICATE WARNINIGS

    View Slide

  127. ROOT CERTIFICATE
    POISONING

    View Slide

  128. TRUST ISSUES

    View Slide

  129. TRUST ISSUES

    View Slide

  130. TRUST ISSUES

    View Slide

  131. TRUST ISSUES

    View Slide

  132. TRUST ISSUES
    • hacked

    View Slide

  133. TRUST ISSUES
    • hacked
    • screw up

    View Slide

  134. TRUST ISSUES
    • hacked
    • screw up
    • court orders

    View Slide

  135. TRUST ISSUES
    • hacked
    • screw up
    • court orders
    • big corp

    View Slide

  136. View Slide

  137. DON’T DO IT YOURSELF
    IF YOU CAN HELP IT.
    Rule of Thumb

    View Slide

  138. STANDARD LIBRARY
    VS.
    PYOPENSSL

    View Slide

  139. STANDARD LIBRARY

    View Slide

  140. STANDARD LIBRARY
    • terrible pre-3.3

    View Slide

  141. STANDARD LIBRARY
    • terrible pre-3.3
    • very incomplete in 2.7

    View Slide

  142. STANDARD LIBRARY
    • terrible pre-3.3
    • very incomplete in 2.7
    • PFS impossible

    View Slide

  143. STANDARD LIBRARY
    • terrible pre-3.3
    • very incomplete in 2.7
    • PFS impossible
    • missing options

    View Slide

  144. STANDARD LIBRARY
    • terrible pre-3.3
    • very incomplete in 2.7
    • PFS impossible
    • missing options
    • bound to Python’s OpenSSL

    View Slide

  145. HOSTNAME VERIFICATION
    3.2–
    from ssl import match_hostname
    2.4–2.7
    pip install backports.ssl_match_hostname

    View Slide

  146. PYOPENSSL

    View Slide

  147. PYOPENSSL
    • Python 2.6+, 3.2+, and PyPy

    View Slide

  148. PYOPENSSL
    • Python 2.6+, 3.2+, and PyPy
    • more complete API coverage

    View Slide

  149. PYOPENSSL
    • Python 2.6+, 3.2+, and PyPy
    • more complete API coverage
    • PyCA cryptography!

    View Slide

  150. CRYPTOGRAPHY.IO

    View Slide

  151. CRYPTOGRAPHY.IO
    • Python crypto w/o footguns

    View Slide

  152. CRYPTOGRAPHY.IO
    • Python crypto w/o footguns
    • PyCA

    View Slide

  153. CRYPTOGRAPHY.IO
    • Python crypto w/o footguns
    • PyCA
    • PyPy ♥ CFFI

    View Slide

  154. CRYPTOGRAPHY.IO
    • Python crypto w/o footguns
    • PyCA
    • PyPy ♥ CFFI
    • gives pyOpenSSL momentum

    View Slide

  155. HOSTNAME VERIFICATION
    service_identity

    View Slide

  156. LIBRARIES
    &
    FRAMEWORKS

    View Slide

  157. SERVERS
    lib PFS good defaults configurable
    eventlet hybrid ❌ ❌ ❌
    gevent stdlib ❌ ❌ ❌
    gunicorn depends ❌ ❌ ❌
    Tornado stdlib ❌ ❌ ❌

    View Slide

  158. SERVERS
    lib PFS good defaults configurable
    eventlet hybrid ❌ ❌ ❌
    gevent stdlib ❌ ❌ ❌
    gunicorn depends ❌ ❌ ❌
    Tornado stdlib ❌ ❌ ❌
    Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️

    View Slide

  159. SERVERS
    lib PFS good defaults configurable
    eventlet hybrid ❌ ❌ ❌
    gevent stdlib ❌ ❌ ❌
    gunicorn depends ❌ ❌ ❌
    Tornado stdlib ❌ ❌ ❌
    Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️
    uWSGI own C code ✔️ ❌ ✔️

    View Slide

  160. SERVERS
    lib PFS good defaults configurable
    eventlet hybrid ❌ ❌ ❌
    gevent stdlib ❌ ❌ ❌
    gunicorn depends ❌ ❌ ❌
    Tornado stdlib ❌ ❌ ❌
    Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️
    uWSGI own C code ✔️ ❌ ✔️

    View Slide

  161. CLIENTS
    lib
    verifies
    certificates
    verifies
    hostnames
    good defaults
    eventlet hybrid ❌ ❌ ❌
    gevent stdlib ❌ ❌ ❌

    View Slide

  162. CLIENTS
    lib
    verifies
    certificates
    verifies
    hostnames
    good defaults
    eventlet hybrid ❌ ❌ ❌
    gevent stdlib ❌ ❌ ❌
    Tornado stdlib ✔️ ✔️ ❌

    View Slide

  163. CLIENTS
    lib
    verifies
    certificates
    verifies
    hostnames
    good defaults
    eventlet hybrid ❌ ❌ ❌
    gevent stdlib ❌ ❌ ❌
    Tornado stdlib ✔️ ✔️ ❌
    Twisted 14.0 pyOpenSSL depends depends ✔️

    View Slide

  164. CLIENTS
    lib
    verifies
    certificates
    verifies
    hostnames
    good defaults
    eventlet hybrid ❌ ❌ ❌
    gevent stdlib ❌ ❌ ❌
    Tornado stdlib ✔️ ✔️ ❌
    Twisted 14.0 pyOpenSSL depends depends ✔️
    urllib2 stdlib ❌ ❌ ❌

    View Slide

  165. CLIENTS
    lib
    verifies
    certificates
    verifies
    hostnames
    good defaults
    eventlet hybrid ❌ ❌ ❌
    gevent stdlib ❌ ❌ ❌
    Tornado stdlib ✔️ ✔️ ❌
    Twisted 14.0 pyOpenSSL depends depends ✔️
    urllib2 stdlib ❌ ❌ ❌
    urllib3/requests hybrid ✔️ ✔️ ✔️

    View Slide

  166. SUMMARY

    View Slide

  167. SUMMARY
    • keep TLS out of Python if you can

    View Slide

  168. SUMMARY
    • keep TLS out of Python if you can
    • use pyOpenSSL-powered requests for
    HTTPS

    View Slide

  169. SUMMARY
    • keep TLS out of Python if you can
    • use pyOpenSSL-powered requests for
    HTTPS
    • write servers in Twisted

    View Slide

  170. SUMMARY
    • keep TLS out of Python if you can
    • use pyOpenSSL-powered requests for
    HTTPS
    • write servers in Twisted
    • use pyOpenSSL

    View Slide

  171. SUMMARY
    • keep TLS out of Python if you can
    • use pyOpenSSL-powered requests for
    HTTPS
    • write servers in Twisted
    • use pyOpenSSL
    • use Python 2 stdlib only for clients

    View Slide

  172. WHY SORRY?

    View Slide

  173. IMPLEMENTATIONS

    View Slide

  174. IMPLEMENTATIONS

    View Slide

  175. USERS

    View Slide

  176. USERS
    • run outdated software

    View Slide

  177. USERS
    • run outdated software
    • click certificate warnings
    away

    View Slide

  178. USERS
    • run outdated software
    • click certificate warnings
    away
    • are at the mercy of 3rd parties

    View Slide

  179. SERVERS

    View Slide

  180. SERVERS

    View Slide

  181. CLIENTS

    View Slide

  182. PYTHON
    Is at the forefront of terrible.

    View Slide

  183. HOPE

    View Slide

  184. HOPE
    • people care again

    View Slide

  185. HOPE
    • people care again
    • stdlib

    View Slide

  186. HOPE
    • people care again
    • stdlib
    • PyCA

    View Slide

  187. CALLS TO ACTION

    View Slide

  188. CALLS TO ACTION

    View Slide

  189. CALLS TO ACTION

    View Slide

  190. CALLS TO ACTION

    View Slide

  191. CALLS TO ACTION

    View Slide

  192. ox.cx/t
    @hynek
    vrmd.de

    View Slide