The Sorry State of SSL at PyCon US 2014

THE SORRY STATE OF SSL Hynek Schlawack

@hynek https://hynek.me https://github.com/hynek https://www.variomedia.de Hi!

ONLY LINK ox.cx/t

WTF SSL

WTF SSL & TLS

TIMELINE

TIMELINE 1995: Secure Sockets Layer 2.0, Netscape

TIMELINE 1995: Secure Sockets Layer 2.0, Netscape 1996: SSL 3.0,
still Netscape

still Netscape 1999: Transport Layer Security 1.0, IETF

still Netscape 1999: Transport Layer Security 1.0, IETF 2006: TLS 1.1

still Netscape 1999: Transport Layer Security 1.0, IETF 2006: TLS 1.1 2008: TLS 1.2

2013 • newfound scrutiny

2013 • newfound scrutiny • browsers add TLS 1.2

2013 • newfound scrutiny • browsers add TLS 1.2 •
just using TLS not enough

TLS • identity

TLS • identity • conﬁdentiality

TLS • identity • conﬁdentiality • integrity

TLS HYGIENE

SERVERS

BE UP-TO-DATE • OpenSSL >= 1.0.1c • Apache >= 2.4.0
• nginx >= 1.0.6 or 1.1.0

CERTIFICATES • identity • validity

CERTIFICATES • identity • validity • CA sig

EXTENDED VALIDATION CERTIFICATES

TRUST CHAIN

CERTIFICATES • trust chain

CERTIFICATES • trust chain • host name/service

CERTIFICATES • trust chain • host name/service • already/still valid?

DISABLE • SSL 2.0

DISABLE • SSL 2.0 • SSL 3.0 (if you can)

DISABLE • SSL 2.0 • SSL 3.0 (if you can)
• TLS compression

CIPHER SUITES

CIPHER

CIPHER Cipher

CIPHER Cipher Plaintext

CIPHER Cipher Ciphertext Plaintext

Ciphertext CIPHER Cipher Plaintext

CIPHER: MODE

CIPHER: MODE • CBC

CIPHER: MODE • CBC • stream ciphers

CIPHER: MODE • CBC • stream ciphers • GCM

ENCRYPTION: PREFER THIS

ENCRYPTION: PREFER THIS AES128-GCM &

ENCRYPTION: PREFER THIS AES128-GCM & ChaCha20

ENCRYPTION: FALL BACK TO AES128-CBC

ENCRYPTION: IF LIFE IS CRUEL TO YOU 3DES-CBC

ENCRYPTION: EOL

ENCRYPTION: DANGEROUS • EXP-*

ENCRYPTION: DANGEROUS • EXP-* • DES

ENCRYPTION: DANGEROUS • EXP-* • DES • RC4

KEY EXCHANGE

KEY EXCHANGE fast PFS RSA ✔️ ❌

KEY EXCHANGE fast PFS RSA ✔️ ❌ DHE ❌ ✔️

KEY EXCHANGE fast PFS RSA ✔️ ❌ DHE ❌ ✔️
ECDHE ✔️ ✔️

INTEGRITY: MACS • Message Authentication Code

INTEGRITY: MACS • Message Authentication Code • HMAC

INTEGRITY: MACS • Message Authentication Code • HMAC • GCM

HAVE THE LAST WORD

YOU’RE DONE!

YOU’RE DONE! (but test your results!)

CERTIFICATE

PROTOCOLS

CIPHER SUITES

CLIENTS

YOU HAD ONE JOB!

YOU HAD ONE JOB! VERIFY!

VERIFY THE CERTIFICATE! • valid?

VERIFY THE CERTIFICATE! • valid? • trustworthy chain?

VERIFY THE CERTIFICATE! • valid? • trustworthy chain? • correct
hostname/service?

TRUST CHAIN

TRUST CHAIN • VERIFY_PEER

TRUST CHAIN • VERIFY_PEER • trust stores OS dependent

TRUST CHAIN • VERIFY_PEER • trust stores OS dependent •
SSL_CTX_set_default_ verify_paths

SYSTEM CA • FreeBSD: ca_root_nss

SYSTEM CA • FreeBSD: ca_root_nss • debian/Red Hat: ca-certiﬁcates

SYSTEM CA • FreeBSD: ca_root_nss • debian/Red Hat: ca-certiﬁcates •
OS X: TEA or homebrew

OS X: TEA or homebrew • Windows: wincertstore

OS X: TEA or homebrew • Windows: wincertstore • or: Mozilla/certiﬁ

HOSTNAME VERIFICATION OpenSSL to developers:

HOSTNAME VERIFICATION OpenSSL to developers: LOL

DON’T VERIFY TRUST CHAIN I can pretend to be Google
with any self-signed certiﬁcate.

DON’T VERIFY HOSTNAME I can pretend to be Google with
any valid certiﬁcate.

SET SOME OPTIONS • acceptable ciphers • disable SSL 2.0

THAT’S ALL!

FUNDAMENTAL MISCONCEPTIONS

FUNDAMENTAL MISCONCEPTIONS • no end-to-end security

FUNDAMENTAL MISCONCEPTIONS • no end-to-end security • metadata

VPN? • sees all your trafﬁc

VPN? • sees all your trafﬁc • same for CDN

CERTIFICATE WARNINIGS

ROOT CERTIFICATE POISONING

TRUST ISSUES

TRUST ISSUES • hacked

TRUST ISSUES • hacked • screw up

TRUST ISSUES • hacked • screw up • court orders

TRUST ISSUES • hacked • screw up • court orders
• big corp

DON’T DO IT YOURSELF IF YOU CAN HELP IT. Rule
of Thumb

STANDARD LIBRARY VS. PYOPENSSL

STANDARD LIBRARY

STANDARD LIBRARY • terrible pre-3.3

STANDARD LIBRARY • terrible pre-3.3 • very incomplete in 2.7

• PFS impossible

• PFS impossible • missing options

• PFS impossible • missing options • bound to Python’s OpenSSL

HOSTNAME VERIFICATION 3.2– from ssl import match_hostname 2.4–2.7 pip install
backports.ssl_match_hostname

PYOPENSSL

PYOPENSSL • Python 2.6+, 3.2+, and PyPy

PYOPENSSL • Python 2.6+, 3.2+, and PyPy • more complete
API coverage

API coverage • no server ECDHE (yet)

API coverage • no server ECDHE (yet) • cryptography!

CRYPTOGRAPHY.IO

CRYPTOGRAPHY.IO • Python crypto w/o footguns

CRYPTOGRAPHY.IO • Python crypto w/o footguns • PyPy ♥ cfﬁ

• SecureTransport is coming!

• SecureTransport is coming! • gives pyOpenSSL momentum

HOSTNAME VERIFICATION service_identity

LIBRARIES & FRAMEWORKS

SERVERS lib PFS good defaults conﬁgurable eventlet hybrid ❌ ❌
❌ gevent stdlib ❌ ❌ ❌ gunicorn depends ❌ ❌ ❌ Tornado stdlib ❌ ❌ ❌

❌ gevent stdlib ❌ ❌ ❌ gunicorn depends ❌ ❌ ❌ Tornado stdlib ❌ ❌ ❌ Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️

❌ gevent stdlib ❌ ❌ ❌ gunicorn depends ❌ ❌ ❌ Tornado stdlib ❌ ❌ ❌ Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️ uWSGI own C code ✔️ ❌ ✔️

CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid
❌ ❌ ❌ gevent stdlib ❌ ❌ ❌

❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ Tornado stdlib ✔️ ✔️ ❌

❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ Tornado stdlib ✔️ ✔️ ❌ Twisted 14.0 pyOpenSSL opt-in opt-in ✔️

❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ Tornado stdlib ✔️ ✔️ ❌ Twisted 14.0 pyOpenSSL opt-in opt-in ✔️ urllib2 stdlib ❌ ❌ ❌

❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ Tornado stdlib ✔️ ✔️ ❌ Twisted 14.0 pyOpenSSL opt-in opt-in ✔️ urllib2 stdlib ❌ ❌ ❌ urllib3/requests hybrid ✔️ ✔️ ✔️

SUMMARY

SUMMARY • keep TLS out of Python if you can

• use pyOpenSSL-powered requests for HTTPS

• use pyOpenSSL-powered requests for HTTPS • write servers in Twisted

• use pyOpenSSL-powered requests for HTTPS • write servers in Twisted • use pyOpenSSL

• use pyOpenSSL-powered requests for HTTPS • write servers in Twisted • use pyOpenSSL • use Python 2 stdlib only for clients

WHY SORRY?

IMPLEMENTATIONS

USERS • run outdated software

USERS • run outdated software • click certiﬁcate warnings away

USERS • run outdated software • click certiﬁcate warnings away
• are at the mercy of 3rd parties

SERVERS

CLIENTS

PYTHON Is at the forefront of terrible.

HOPE • people care again

HOPE • people care again • stdlib

HOPE • people care again • stdlib • PyCA

CALLS TO ACTION

ox.cx/t @hynek Crypto Open Space!

The Sorry State of SSL at PyCon US 2014

The Sorry State of SSL at PyCon US 2014

More Decks by Hynek Schlawack

Other Decks in Technology

Featured

Transcript