The Sorry State of SSL @ EuroPython 2014

The Sorry State of SSL @ EuroPython 2014

TLS is the best technology we have for securing our communications. It comes with many sharp edges though. This talk tries to jumpstart a rough understanding.

174e7b0ff60963f821d0b9a4f1a3ef52?s=128

Hynek Schlawack

July 22, 2014
Tweet

Transcript

  1. THE SORRY STATE OF SSL Hynek Schlawack

  2. @hynek https://hynek.me https://github.com/hynek Guten Tag!

  3. None
  4. https://www.variomedia.de

  5. None
  6. None
  7. None
  8. ONLY LINK ox.cx/t

  9. WTF

  10. WTF SSL

  11. WTF SSL & TLS

  12. TIMELINE

  13. TIMELINE 1995: Secure Sockets Layer 2.0, Netscape

  14. TIMELINE 1995: Secure Sockets Layer 2.0, Netscape 1996: SSL 3.0,

    still Netscape
  15. TIMELINE 1995: Secure Sockets Layer 2.0, Netscape 1996: SSL 3.0,

    still Netscape 1999: Transport Layer Security 1.0, IETF
  16. TIMELINE 1995: Secure Sockets Layer 2.0, Netscape 1996: SSL 3.0,

    still Netscape 1999: Transport Layer Security 1.0, IETF 2006: TLS 1.1
  17. TIMELINE 1995: Secure Sockets Layer 2.0, Netscape 1996: SSL 3.0,

    still Netscape 1999: Transport Layer Security 1.0, IETF 2006: TLS 1.1 2008: TLS 1.2
  18. 2013

  19. 2013 • newfound scrutiny

  20. 2013 • newfound scrutiny • browsers add TLS 1.2

  21. 2013 • newfound scrutiny • browsers add TLS 1.2 •

    just using TLS not enough
  22. TLS

  23. TLS • identity

  24. TLS • identity • confidentiality

  25. TLS • identity • confidentiality • integrity

  26. TLS HYGIENE

  27. SERVERS

  28. 1.0.1c 2.4.0 1.0.6 or 1.1.0 • OpenSSL >= • Apache

    >= • nginx >= BE UP-TO-DATE
  29. • OpenSSL >= • Apache >= • nginx >= 1.0.1h

    2.4.9 1.4.7 BE UP-TO-DATE
  30. CERTIFICATES • identity • validity

  31. CERTIFICATES • identity • validity • CA sig

  32. CERTIFICATES • identity • validity • CA sig

  33. CERTIFICATES • identity • validity • CA sig

  34. CERTIFICATES • identity • validity • CA sig

  35. CERTIFICATES • identity • validity • CA sig

  36. TRUST CHAIN

  37. TRUST CHAIN

  38. TRUST CHAIN

  39. CERTIFICATES • trust chain

  40. CERTIFICATES • trust chain • host name/service

  41. CERTIFICATES • trust chain • host name/service • already/still valid?

  42. DISABLE • SSL 2.0

  43. DISABLE • SSL 2.0 • SSL 3.0 (if you can)

  44. DISABLE • SSL 2.0 • SSL 3.0 (if you can)

    • TLS compression
  45. CIPHER SUITES

  46. CIPHER

  47. CIPHER Cipher

  48. CIPHER Cipher Plaintext

  49. CIPHER Cipher Plaintext

  50. CIPHER Cipher Ciphertext Plaintext

  51. Ciphertext CIPHER Cipher Plaintext

  52. CIPHER: MODE

  53. CIPHER: MODE • CBC

  54. CIPHER: MODE • CBC • stream ciphers

  55. CIPHER: MODE • CBC • stream ciphers • GCM

  56. ENCRYPTION: PREFER THIS

  57. ENCRYPTION: PREFER THIS AES128-GCM &

  58. ENCRYPTION: PREFER THIS AES128-GCM & ChaCha20

  59. ENCRYPTION: FALL BACK TO AES128-CBC

  60. ENCRYPTION: IF LIFE IS CRUEL TO YOU 3DES-CBC

  61. ENCRYPTION: EOL

  62. ENCRYPTION: DANGEROUS • EXP-*

  63. ENCRYPTION: DANGEROUS • EXP-* • DES

  64. ENCRYPTION: DANGEROUS • EXP-* • DES • RC4

  65. ENCRYPTION: DANGEROUS • EXP-* • DES • RC4

  66. KEY EXCHANGE

  67. KEY EXCHANGE fast PFS RSA ✔️ ❌

  68. KEY EXCHANGE fast PFS RSA ✔️ ❌ DHE ❌ ✔️

  69. KEY EXCHANGE fast PFS RSA ✔️ ❌ DHE ❌ ✔️

    ECDHE ✔️ ✔️
  70. KEY EXCHANGE fast PFS RSA ✔️ ❌ DHE ❌ ✔️

    ECDHE ✔️ ✔️
  71. INTEGRITY: MACS • Message Authentication Code

  72. INTEGRITY: MACS • Message Authentication Code • HMAC

  73. INTEGRITY: MACS • Message Authentication Code • HMAC • GCM

  74. HAVE THE LAST WORD

  75. YOU’RE DONE!

  76. YOU’RE DONE! (but test your results!)

  77. CERTIFICATE

  78. CERTIFICATE

  79. CERTIFICATE

  80. CERTIFICATE

  81. CERTIFICATE

  82. CERTIFICATE

  83. CERTIFICATE

  84. PROTOCOLS

  85. PROTOCOLS

  86. PROTOCOLS

  87. PROTOCOLS

  88. CIPHER SUITES

  89. CIPHER SUITES

  90. CIPHER SUITES

  91. CIPHER SUITES

  92. CIPHER SUITES

  93. CIPHER SUITES

  94. CIPHER SUITES

  95. CIPHER SUITES

  96. CLIENTS

  97. YOU HAD ONE JOB!

  98. YOU HAD ONE JOB! VERIFY!

  99. VERIFY THE CERTIFICATE! • valid?

  100. VERIFY THE CERTIFICATE! • valid? • trustworthy chain?

  101. VERIFY THE CERTIFICATE! • valid? • trustworthy chain? • correct

    hostname/service?
  102. TRUST CHAIN

  103. TRUST CHAIN • VERIFY_PEER

  104. TRUST CHAIN • VERIFY_PEER • trust stores OS dependent

  105. TRUST CHAIN • VERIFY_PEER • trust stores OS dependent •

    SSL_CTX_set_default_ verify_paths
  106. SYSTEM CA • FreeBSD: ca_root_nss

  107. SYSTEM CA • FreeBSD: ca_root_nss • debian/Red Hat: ca-certificates

  108. SYSTEM CA • FreeBSD: ca_root_nss • debian/Red Hat: ca-certificates •

    OS X: TEA or homebrew
  109. SYSTEM CA • FreeBSD: ca_root_nss • debian/Red Hat: ca-certificates •

    OS X: TEA or homebrew • Windows: wincertstore
  110. SYSTEM CA • FreeBSD: ca_root_nss • debian/Red Hat: ca-certificates •

    OS X: TEA or homebrew • Windows: wincertstore • or: Mozilla/certifi
  111. HOSTNAME VERIFICATION OpenSSL to developers:

  112. HOSTNAME VERIFICATION OpenSSL to developers: LOL

  113. DON’T VERIFY TRUST CHAIN I can pretend to be Google

    with any self-signed certificate.
  114. DON’T VERIFY HOSTNAME I can pretend to be Google with

    any valid certificate.
  115. None
  116. SET SOME OPTIONS • acceptable ciphers • disable SSL 2.0

  117. THAT’S ALL!

  118. USERS

  119. FUNDAMENTAL MISCONCEPTIONS

  120. FUNDAMENTAL MISCONCEPTIONS • no end-to-end security

  121. FUNDAMENTAL MISCONCEPTIONS • no end-to-end security • metadata

  122. VPN?

  123. VPN? • sees all your traffic

  124. VPN? • sees all your traffic • same for CDN

  125. CERTIFICATE WARNINIGS

  126. CERTIFICATE WARNINIGS

  127. ROOT CERTIFICATE POISONING

  128. TRUST ISSUES

  129. TRUST ISSUES

  130. TRUST ISSUES

  131. TRUST ISSUES

  132. TRUST ISSUES • hacked

  133. TRUST ISSUES • hacked • screw up

  134. TRUST ISSUES • hacked • screw up • court orders

  135. TRUST ISSUES • hacked • screw up • court orders

    • big corp
  136. None
  137. DON’T DO IT YOURSELF IF YOU CAN HELP IT. Rule

    of Thumb
  138. STANDARD LIBRARY VS. PYOPENSSL

  139. STANDARD LIBRARY

  140. STANDARD LIBRARY • terrible pre-3.3

  141. STANDARD LIBRARY • terrible pre-3.3 • very incomplete in 2.7

  142. STANDARD LIBRARY • terrible pre-3.3 • very incomplete in 2.7

    • PFS impossible
  143. STANDARD LIBRARY • terrible pre-3.3 • very incomplete in 2.7

    • PFS impossible • missing options
  144. STANDARD LIBRARY • terrible pre-3.3 • very incomplete in 2.7

    • PFS impossible • missing options • bound to Python’s OpenSSL
  145. HOSTNAME VERIFICATION 3.2– from ssl import match_hostname 2.4–2.7 pip install

    backports.ssl_match_hostname
  146. PYOPENSSL

  147. PYOPENSSL • Python 2.6+, 3.2+, and PyPy

  148. PYOPENSSL • Python 2.6+, 3.2+, and PyPy • more complete

    API coverage
  149. PYOPENSSL • Python 2.6+, 3.2+, and PyPy • more complete

    API coverage • PyCA cryptography!
  150. CRYPTOGRAPHY.IO

  151. CRYPTOGRAPHY.IO • Python crypto w/o footguns

  152. CRYPTOGRAPHY.IO • Python crypto w/o footguns • PyCA

  153. CRYPTOGRAPHY.IO • Python crypto w/o footguns • PyCA • PyPy

    ♥ CFFI
  154. CRYPTOGRAPHY.IO • Python crypto w/o footguns • PyCA • PyPy

    ♥ CFFI • gives pyOpenSSL momentum
  155. HOSTNAME VERIFICATION service_identity

  156. LIBRARIES & FRAMEWORKS

  157. SERVERS lib PFS good defaults configurable eventlet hybrid ❌ ❌

    ❌ gevent stdlib ❌ ❌ ❌ gunicorn depends ❌ ❌ ❌ Tornado stdlib ❌ ❌ ❌
  158. SERVERS lib PFS good defaults configurable eventlet hybrid ❌ ❌

    ❌ gevent stdlib ❌ ❌ ❌ gunicorn depends ❌ ❌ ❌ Tornado stdlib ❌ ❌ ❌ Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️
  159. SERVERS lib PFS good defaults configurable eventlet hybrid ❌ ❌

    ❌ gevent stdlib ❌ ❌ ❌ gunicorn depends ❌ ❌ ❌ Tornado stdlib ❌ ❌ ❌ Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️ uWSGI own C code ✔️ ❌ ✔️
  160. SERVERS lib PFS good defaults configurable eventlet hybrid ❌ ❌

    ❌ gevent stdlib ❌ ❌ ❌ gunicorn depends ❌ ❌ ❌ Tornado stdlib ❌ ❌ ❌ Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️ uWSGI own C code ✔️ ❌ ✔️
  161. CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid

    ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌
  162. CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid

    ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ Tornado stdlib ✔️ ✔️ ❌
  163. CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid

    ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ Tornado stdlib ✔️ ✔️ ❌ Twisted 14.0 pyOpenSSL depends depends ✔️
  164. CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid

    ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ Tornado stdlib ✔️ ✔️ ❌ Twisted 14.0 pyOpenSSL depends depends ✔️ urllib2 stdlib ❌ ❌ ❌
  165. CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid

    ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ Tornado stdlib ✔️ ✔️ ❌ Twisted 14.0 pyOpenSSL depends depends ✔️ urllib2 stdlib ❌ ❌ ❌ urllib3/requests hybrid ✔️ ✔️ ✔️
  166. SUMMARY

  167. SUMMARY • keep TLS out of Python if you can

  168. SUMMARY • keep TLS out of Python if you can

    • use pyOpenSSL-powered requests for HTTPS
  169. SUMMARY • keep TLS out of Python if you can

    • use pyOpenSSL-powered requests for HTTPS • write servers in Twisted
  170. SUMMARY • keep TLS out of Python if you can

    • use pyOpenSSL-powered requests for HTTPS • write servers in Twisted • use pyOpenSSL
  171. SUMMARY • keep TLS out of Python if you can

    • use pyOpenSSL-powered requests for HTTPS • write servers in Twisted • use pyOpenSSL • use Python 2 stdlib only for clients
  172. WHY SORRY?

  173. IMPLEMENTATIONS

  174. IMPLEMENTATIONS

  175. USERS

  176. USERS • run outdated software

  177. USERS • run outdated software • click certificate warnings away

  178. USERS • run outdated software • click certificate warnings away

    • are at the mercy of 3rd parties
  179. SERVERS

  180. SERVERS

  181. CLIENTS

  182. PYTHON Is at the forefront of terrible.

  183. HOPE

  184. HOPE • people care again

  185. HOPE • people care again • stdlib

  186. HOPE • people care again • stdlib • PyCA

  187. CALLS TO ACTION

  188. CALLS TO ACTION

  189. CALLS TO ACTION

  190. CALLS TO ACTION

  191. CALLS TO ACTION

  192. ox.cx/t @hynek vrmd.de