The Sorry State Of SSL by Hynek Schlawack

Transcript

1. THE SORRY STATE OF SSL Hynek Schlawack

2. @hynek https://hynek.me https://github.com/hynek https://www.variomedia.de Hi!

3. None
4. None
5. None

6. ONLY LINK ox.cx/t

7. WTF

8. WTF SSL

9. WTF SSL & TLS

10. TIMELINE

11. TIMELINE 1995: Secure Sockets Layer 2.0, Netscape

12. TIMELINE 1995: Secure Sockets Layer 2.0, Netscape 1996: SSL 3.0,

    still Netscape

13. TIMELINE 1995: Secure Sockets Layer 2.0, Netscape 1996: SSL 3.0,

    still Netscape 1999: Transport Layer Security 1.0, IETF

14. TIMELINE 1995: Secure Sockets Layer 2.0, Netscape 1996: SSL 3.0,

    still Netscape 1999: Transport Layer Security 1.0, IETF 2006: TLS 1.1

15. TIMELINE 1995: Secure Sockets Layer 2.0, Netscape 1996: SSL 3.0,

    still Netscape 1999: Transport Layer Security 1.0, IETF 2006: TLS 1.1 2008: TLS 1.2

16. 2013

17. 2013 • newfound scrutiny

18. 2013 • newfound scrutiny • browsers add TLS 1.2

19. 2013 • newfound scrutiny • browsers add TLS 1.2 •

    just using TLS not enough

20. TLS

21. TLS • identity

22. TLS • identity • confidentiality

23. TLS • identity • confidentiality • integrity

24. TLS HYGIENE

25. SERVERS

26. BE UP-TO-DATE • OpenSSL >= 1.0.1c • Apache >= 2.4.0

    • nginx >= 1.0.6 or 1.1.0

27. CERTIFICATES • identity • validity

28. CERTIFICATES • identity • validity • CA sig

29. CERTIFICATES • identity • validity • CA sig

30. CERTIFICATES • identity • validity • CA sig

31. CERTIFICATES • identity • validity • CA sig

32. CERTIFICATES • identity • validity • CA sig

33. EXTENDED VALIDATION CERTIFICATES

34. EXTENDED VALIDATION CERTIFICATES

35. TRUST CHAIN

36. TRUST CHAIN

37. TRUST CHAIN

38. CERTIFICATES • trust chain

39. CERTIFICATES • trust chain • host name/service

40. CERTIFICATES • trust chain • host name/service • already/still valid?

41. DISABLE • SSL 2.0

42. DISABLE • SSL 2.0 • SSL 3.0 (if you can)

43. DISABLE • SSL 2.0 • SSL 3.0 (if you can)

    • TLS compression

44. CIPHER SUITES

45. CIPHER

46. CIPHER Cipher

47. CIPHER Cipher Plaintext

48. CIPHER Cipher Plaintext

49. CIPHER Cipher Ciphertext Plaintext

50. Ciphertext CIPHER Cipher Plaintext

51. CIPHER: MODE

52. CIPHER: MODE • CBC

53. CIPHER: MODE • CBC • stream ciphers

54. CIPHER: MODE • CBC • stream ciphers • GCM

55. ENCRYPTION: PREFER THIS

56. ENCRYPTION: PREFER THIS AES128-GCM &

57. ENCRYPTION: PREFER THIS AES128-GCM & ChaCha20

58. ENCRYPTION: FALL BACK TO AES128-CBC

59. ENCRYPTION: IF LIFE IS CRUEL TO YOU 3DES-CBC

60. ENCRYPTION: EOL

61. ENCRYPTION: DANGEROUS • EXP-*

62. ENCRYPTION: DANGEROUS • EXP-* • DES

63. ENCRYPTION: DANGEROUS • EXP-* • DES • RC4

64. KEY EXCHANGE

65. KEY EXCHANGE fast PFS RSA ✔️ ❌

66. KEY EXCHANGE fast PFS RSA ✔️ ❌ DHE ❌ ✔️

67. KEY EXCHANGE fast PFS RSA ✔️ ❌ DHE ❌ ✔️

    ECDHE ✔️ ✔️

68. KEY EXCHANGE fast PFS RSA ✔️ ❌ DHE ❌ ✔️

    ECDHE ✔️ ✔️

69. INTEGRITY: MACS • Message Authentication Code

70. INTEGRITY: MACS • Message Authentication Code • HMAC

71. INTEGRITY: MACS • Message Authentication Code • HMAC • GCM

72. HAVE THE LAST WORD

73. YOU’RE DONE!

74. YOU’RE DONE! (but test your results!)

75. CERTIFICATE

76. CERTIFICATE

77. CERTIFICATE

78. CERTIFICATE

79. CERTIFICATE

80. CERTIFICATE

81. CERTIFICATE

82. PROTOCOLS

83. PROTOCOLS

84. PROTOCOLS

85. PROTOCOLS

86. CIPHER SUITES

87. CIPHER SUITES

88. CIPHER SUITES

89. CIPHER SUITES

90. CIPHER SUITES

91. CIPHER SUITES

92. CIPHER SUITES

93. CIPHER SUITES

94. CLIENTS

95. YOU HAD ONE JOB!

96. YOU HAD ONE JOB! VERIFY!

97. VERIFY THE CERTIFICATE! • valid?

98. VERIFY THE CERTIFICATE! • valid? • trustworthy chain?

99. VERIFY THE CERTIFICATE! • valid? • trustworthy chain? • correct

    hostname/service?

100. TRUST CHAIN

101. TRUST CHAIN • VERIFY_PEER

102. TRUST CHAIN • VERIFY_PEER • trust stores OS dependent

103. TRUST CHAIN • VERIFY_PEER • trust stores OS dependent •

     SSL_CTX_set_default_ verify_paths

104. SYSTEM CA • FreeBSD: ca_root_nss

105. SYSTEM CA • FreeBSD: ca_root_nss • debian/Red Hat: ca-certificates

106. SYSTEM CA • FreeBSD: ca_root_nss • debian/Red Hat: ca-certificates •

     OS X: TEA or homebrew

107. SYSTEM CA • FreeBSD: ca_root_nss • debian/Red Hat: ca-certificates •

     OS X: TEA or homebrew • Windows: wincertstore

108. SYSTEM CA • FreeBSD: ca_root_nss • debian/Red Hat: ca-certificates •

     OS X: TEA or homebrew • Windows: wincertstore • or: Mozilla/certifi

109. HOSTNAME VERIFICATION OpenSSL to developers:

110. HOSTNAME VERIFICATION OpenSSL to developers: LOL

111. DON’T VERIFY TRUST CHAIN I can pretend to be Google

     with any self-signed certificate.

112. DON’T VERIFY HOSTNAME I can pretend to be Google with

     any valid certificate.
113. None

114. SET SOME OPTIONS • acceptable ciphers • disable SSL 2.0

115. THAT’S ALL!

116. USERS

117. FUNDAMENTAL MISCONCEPTIONS

118. FUNDAMENTAL MISCONCEPTIONS • no end-to-end security

119. FUNDAMENTAL MISCONCEPTIONS • no end-to-end security • metadata

120. VPN?

121. VPN? • sees all your traffic

122. VPN? • sees all your traffic • same for CDN

123. CERTIFICATE WARNINIGS

124. CERTIFICATE WARNINIGS

125. ROOT CERTIFICATE POISONING

126. TRUST ISSUES

127. TRUST ISSUES

128. TRUST ISSUES

129. TRUST ISSUES

130. TRUST ISSUES • hacked

131. TRUST ISSUES • hacked • screw up

132. TRUST ISSUES • hacked • screw up • court orders

133. TRUST ISSUES • hacked • screw up • court orders

     • big corp
134. None

135. DON’T DO IT YOURSELF IF YOU CAN HELP IT. Rule

     of Thumb

136. STANDARD LIBRARY VS. PYOPENSSL

137. STANDARD LIBRARY

138. STANDARD LIBRARY • terrible pre-3.3

139. STANDARD LIBRARY • terrible pre-3.3 • very incomplete in 2.7

140. STANDARD LIBRARY • terrible pre-3.3 • very incomplete in 2.7

     • PFS impossible

141. STANDARD LIBRARY • terrible pre-3.3 • very incomplete in 2.7

     • PFS impossible • missing options

142. STANDARD LIBRARY • terrible pre-3.3 • very incomplete in 2.7

     • PFS impossible • missing options • bound to Python’s OpenSSL

143. HOSTNAME VERIFICATION 3.2– from ssl import match_hostname 2.4–2.7 pip install

     backports.ssl_match_hostname

144. PYOPENSSL

145. PYOPENSSL • Python 2.6+, 3.2+, and PyPy

146. PYOPENSSL • Python 2.6+, 3.2+, and PyPy • more complete

     API coverage

147. PYOPENSSL • Python 2.6+, 3.2+, and PyPy • more complete

     API coverage • no server ECDHE (yet)

148. PYOPENSSL • Python 2.6+, 3.2+, and PyPy • more complete

     API coverage • no server ECDHE (yet) • cryptography!

149. CRYPTOGRAPHY.IO

150. CRYPTOGRAPHY.IO • Python crypto w/o footguns

151. CRYPTOGRAPHY.IO • Python crypto w/o footguns • PyPy ♥ cffi

152. CRYPTOGRAPHY.IO • Python crypto w/o footguns • PyPy ♥ cffi

     • SecureTransport is coming!

153. CRYPTOGRAPHY.IO • Python crypto w/o footguns • PyPy ♥ cffi

     • SecureTransport is coming! • gives pyOpenSSL momentum

154. HOSTNAME VERIFICATION service_identity

155. LIBRARIES & FRAMEWORKS

156. SERVERS lib PFS good defaults configurable eventlet hybrid ❌ ❌

     ❌ gevent stdlib ❌ ❌ ❌ gunicorn depends ❌ ❌ ❌ Tornado stdlib ❌ ❌ ❌

157. SERVERS lib PFS good defaults configurable eventlet hybrid ❌ ❌

     ❌ gevent stdlib ❌ ❌ ❌ gunicorn depends ❌ ❌ ❌ Tornado stdlib ❌ ❌ ❌ Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️

158. SERVERS lib PFS good defaults configurable eventlet hybrid ❌ ❌

     ❌ gevent stdlib ❌ ❌ ❌ gunicorn depends ❌ ❌ ❌ Tornado stdlib ❌ ❌ ❌ Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️ uWSGI own C code ✔️ ❌ ✔️

159. SERVERS lib PFS good defaults configurable eventlet hybrid ❌ ❌

     ❌ gevent stdlib ❌ ❌ ❌ gunicorn depends ❌ ❌ ❌ Tornado stdlib ❌ ❌ ❌ Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️ uWSGI own C code ✔️ ❌ ✔️

160. CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid

     ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌

161. CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid

     ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ Tornado stdlib ✔️ ✔️ ❌

162. CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid

     ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ Tornado stdlib ✔️ ✔️ ❌ Twisted 14.0 pyOpenSSL opt-in opt-in ✔️

163. CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid

     ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ Tornado stdlib ✔️ ✔️ ❌ Twisted 14.0 pyOpenSSL opt-in opt-in ✔️ urllib2 stdlib ❌ ❌ ❌

164. CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid

     ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ Tornado stdlib ✔️ ✔️ ❌ Twisted 14.0 pyOpenSSL opt-in opt-in ✔️ urllib2 stdlib ❌ ❌ ❌ urllib3/requests hybrid ✔️ ✔️ ✔️

165. SUMMARY

166. SUMMARY • keep TLS out of Python if you can

167. SUMMARY • keep TLS out of Python if you can

     • use pyOpenSSL-powered requests for HTTPS

168. SUMMARY • keep TLS out of Python if you can

     • use pyOpenSSL-powered requests for HTTPS • write servers in Twisted

169. SUMMARY • keep TLS out of Python if you can

     • use pyOpenSSL-powered requests for HTTPS • write servers in Twisted • use pyOpenSSL

170. SUMMARY • keep TLS out of Python if you can

     • use pyOpenSSL-powered requests for HTTPS • write servers in Twisted • use pyOpenSSL • use Python 2 stdlib only for clients

171. WHY SORRY?

172. IMPLEMENTATIONS

173. IMPLEMENTATIONS

174. USERS

175. USERS • run outdated software

176. USERS • run outdated software • click certificate warnings away

177. USERS • run outdated software • click certificate warnings away

     • are at the mercy of 3rd parties

178. SERVERS

179. SERVERS

180. CLIENTS

181. CLIENTS

182. PYTHON Is at the forefront of terrible.

183. HOPE

184. HOPE • people care again

185. HOPE • people care again • stdlib

186. HOPE • people care again • stdlib • PyCA

187. CALLS TO ACTION

188. CALLS TO ACTION

189. CALLS TO ACTION

190. CALLS TO ACTION

191. CALLS TO ACTION

192. ox.cx/t @hynek Crypto Open Space!