The Sorry State of SSL @ EuroPython 2014

THE SORRY STATE OF SSL
Hynek Schlawack

View Slide

@hynek
https://hynek.me
https://github.com/hynek
Guten Tag!

View Slide

View Slide

https://www.variomedia.de

View Slide

View Slide

ONLY LINK
ox.cx/t

View Slide

WTF

View Slide

WTF
SSL

View Slide

WTF
SSL
& TLS

View Slide

TIMELINE

View Slide

TIMELINE
1995: Secure Sockets Layer 2.0, Netscape

View Slide

TIMELINE
1996: SSL 3.0, still Netscape

View Slide

TIMELINE
1999: Transport Layer Security 1.0, IETF

View Slide

TIMELINE
2006: TLS 1.1

View Slide

TIMELINE
2006: TLS 1.1
2008: TLS 1.2

View Slide

2013

View Slide

2013
• newfound scrutiny

View Slide

2013
• browsers add TLS 1.2

View Slide

2013
• browsers add TLS 1.2
• just using TLS not enough

View Slide

TLS

View Slide

TLS
• identity

View Slide

TLS
• identity
• conﬁdentiality

View Slide

TLS
• identity
• conﬁdentiality
• integrity

View Slide

TLS HYGIENE

View Slide

SERVERS

View Slide

1.0.1c
2.4.0
1.0.6 or 1.1.0
• OpenSSL >=
• Apache >=
• nginx >=
BE UP-TO-DATE

View Slide

• OpenSSL >=
• Apache >=
• nginx >=
1.0.1h
2.4.9
1.4.7
BE UP-TO-DATE

View Slide

CERTIFICATES
• identity
• validity

View Slide

CERTIFICATES
• identity
• validity
• CA sig

View Slide

TRUST CHAIN

View Slide

CERTIFICATES
• trust chain

View Slide

CERTIFICATES
• trust chain
• host name/service

View Slide

CERTIFICATES
• trust chain
• host name/service
• already/still valid?

View Slide

DISABLE
• SSL 2.0

View Slide

DISABLE
• SSL 2.0
• SSL 3.0 (if you can)

View Slide

DISABLE
• SSL 2.0
• SSL 3.0 (if you can)
• TLS compression

View Slide

CIPHER SUITES

View Slide

CIPHER

View Slide

CIPHER
Cipher

View Slide

CIPHER
Cipher
Plaintext

View Slide

CIPHER
Cipher Ciphertext
Plaintext

View Slide

Ciphertext
CIPHER
Cipher Plaintext

View Slide

CIPHER: MODE

View Slide

CIPHER: MODE
• CBC

View Slide

CIPHER: MODE
• CBC
• stream ciphers

View Slide

CIPHER: MODE
• CBC
• stream ciphers
• GCM

View Slide

ENCRYPTION: PREFER THIS

View Slide

AES128-GCM
&

View Slide

AES128-GCM
&
ChaCha20

View Slide

ENCRYPTION: FALL BACK TO
AES128-CBC

View Slide

ENCRYPTION:
IF LIFE IS CRUEL TO YOU
3DES-CBC

View Slide

ENCRYPTION:
EOL

View Slide

ENCRYPTION: DANGEROUS
• EXP-*

View Slide

• EXP-*
• DES

View Slide

• EXP-*
• DES
• RC4

View Slide

KEY EXCHANGE

View Slide

KEY EXCHANGE
fast PFS
RSA ✔️ ❌

View Slide

KEY EXCHANGE
fast PFS
RSA ✔️ ❌
DHE ❌ ✔️

View Slide

KEY EXCHANGE
fast PFS
RSA ✔️ ❌
DHE ❌ ✔️
ECDHE ✔️ ✔️

View Slide

INTEGRITY: MACS
• Message Authentication Code

View Slide

INTEGRITY: MACS
• HMAC

View Slide

INTEGRITY: MACS
• HMAC
• GCM

View Slide

HAVE THE LAST WORD

View Slide

YOU’RE DONE!

View Slide

YOU’RE DONE!
(but test your results!)

View Slide

CERTIFICATE

View Slide

PROTOCOLS

View Slide

CIPHER SUITES

View Slide

CLIENTS

View Slide

YOU HAD ONE JOB!

View Slide

YOU HAD ONE JOB!
VERIFY!

View Slide

VERIFY THE CERTIFICATE!
• valid?

View Slide

• valid?
• trustworthy chain?

View Slide

• valid?
• trustworthy chain?
• correct hostname/service?

View Slide

TRUST CHAIN

View Slide

TRUST CHAIN
• VERIFY_PEER

View Slide

TRUST CHAIN
• VERIFY_PEER
• trust stores OS dependent

View Slide

TRUST CHAIN
• VERIFY_PEER
• trust stores OS dependent
• SSL_CTX_set_default_
verify_paths

View Slide

SYSTEM CA
• FreeBSD: ca_root_nss

View Slide

SYSTEM CA
• debian/Red Hat: ca-certiﬁcates

View Slide

SYSTEM CA
• OS X: TEA or homebrew

View Slide

SYSTEM CA
• Windows: wincertstore

View Slide

SYSTEM CA
• Windows: wincertstore
• or: Mozilla/certiﬁ

View Slide

HOSTNAME VERIFICATION
OpenSSL to developers:

View Slide

OpenSSL to developers:
LOL

View Slide

DON’T VERIFY TRUST CHAIN
I can pretend to be Google with any
self-signed certiﬁcate.

View Slide

DON’T VERIFY HOSTNAME
I can pretend to be Google with any
valid certiﬁcate.

View Slide

View Slide

SET SOME OPTIONS
• acceptable ciphers
• disable SSL 2.0

View Slide

THAT’S ALL!

View Slide

USERS

View Slide

FUNDAMENTAL
MISCONCEPTIONS

View Slide

FUNDAMENTAL
MISCONCEPTIONS
• no end-to-end security

View Slide

FUNDAMENTAL
MISCONCEPTIONS
• no end-to-end security
• metadata

View Slide

VPN?

View Slide

VPN?
• sees all your trafﬁc

View Slide

VPN?
• sees all your trafﬁc
• same for CDN

View Slide

CERTIFICATE WARNINIGS

View Slide

ROOT CERTIFICATE
POISONING

View Slide

TRUST ISSUES

View Slide

TRUST ISSUES
• hacked

View Slide

TRUST ISSUES
• hacked
• screw up

View Slide

TRUST ISSUES
• hacked
• screw up
• court orders

View Slide

TRUST ISSUES
• hacked
• screw up
• court orders
• big corp

View Slide

View Slide

DON’T DO IT YOURSELF
IF YOU CAN HELP IT.
Rule of Thumb

View Slide

STANDARD LIBRARY
VS.
PYOPENSSL

View Slide

STANDARD LIBRARY

View Slide

STANDARD LIBRARY
• terrible pre-3.3

View Slide

STANDARD LIBRARY
• very incomplete in 2.7

View Slide

STANDARD LIBRARY
• PFS impossible

View Slide

STANDARD LIBRARY
• PFS impossible
• missing options

View Slide

STANDARD LIBRARY
• PFS impossible
• missing options
• bound to Python’s OpenSSL

View Slide

3.2–
from ssl import match_hostname
2.4–2.7
pip install backports.ssl_match_hostname

View Slide

PYOPENSSL

View Slide

PYOPENSSL
• Python 2.6+, 3.2+, and PyPy

View Slide

PYOPENSSL
• more complete API coverage

View Slide

PYOPENSSL
• more complete API coverage
• PyCA cryptography!

View Slide

CRYPTOGRAPHY.IO

View Slide

CRYPTOGRAPHY.IO
• Python crypto w/o footguns

View Slide

CRYPTOGRAPHY.IO
• PyCA

View Slide

CRYPTOGRAPHY.IO
• PyCA
• PyPy ♥ CFFI

View Slide

CRYPTOGRAPHY.IO
• PyCA
• PyPy ♥ CFFI
• gives pyOpenSSL momentum

View Slide

service_identity

View Slide

LIBRARIES
&
FRAMEWORKS

View Slide

SERVERS
lib PFS good defaults conﬁgurable
eventlet hybrid ❌ ❌ ❌
gevent stdlib ❌ ❌ ❌
gunicorn depends ❌ ❌ ❌
Tornado stdlib ❌ ❌ ❌

View Slide

SERVERS
Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️

View Slide

SERVERS
Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️
uWSGI own C code ✔️ ❌ ✔️

View Slide

CLIENTS
lib
verifies
certificates
verifies
hostnames
good defaults

View Slide

CLIENTS
lib
verifies
certificates
verifies
hostnames
good defaults
Tornado stdlib ✔️ ✔️ ❌

View Slide

CLIENTS
lib
verifies
certificates
verifies
hostnames
good defaults
Twisted 14.0 pyOpenSSL depends depends ✔️

View Slide

CLIENTS
lib
verifies
certificates
verifies
hostnames
good defaults
urllib2 stdlib ❌ ❌ ❌

View Slide

CLIENTS
lib
verifies
certificates
verifies
hostnames
good defaults
urllib2 stdlib ❌ ❌ ❌
urllib3/requests hybrid ✔️ ✔️ ✔️

View Slide

SUMMARY

View Slide

SUMMARY
• keep TLS out of Python if you can

View Slide

SUMMARY
• use pyOpenSSL-powered requests for
HTTPS

View Slide

SUMMARY
HTTPS
• write servers in Twisted

View Slide

SUMMARY
HTTPS
• use pyOpenSSL

View Slide

SUMMARY
HTTPS
• use pyOpenSSL
• use Python 2 stdlib only for clients

View Slide

WHY SORRY?

View Slide

IMPLEMENTATIONS

View Slide

USERS

View Slide

USERS
• run outdated software

View Slide

USERS
• click certiﬁcate warnings
away

View Slide

USERS
• click certiﬁcate warnings
away
• are at the mercy of 3rd parties

View Slide

The Sorry State of SSL @ EuroPython 2014

The Sorry State of SSL @ EuroPython 2014

Hynek Schlawack

More Decks by Hynek Schlawack

Other Decks in Technology

Featured

Transcript