"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014

1,164 views

Published on

Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014

  1. 1. THE SORRY STATE OF ССЛ Hynek Schlawack
  2. 2. @hynek https://hynek.me https://github.com/hynek Привет!
  3. 3. https://www.variomedia.de
  4. 4. ONLY LINK ox.cx/t
  5. 5. WTF
  6. 6. WTF SSL
  7. 7. WTF SSL & TLS
  8. 8. TIMELINE
  9. 9. TIMELINE 1995: Secure Sockets Layer 2.0, Netscape
  10. 10. TIMELINE 1995: Secure Sockets Layer 2.0, Netscape 1996: SSL 3.0, still Netscape
  11. 11. TIMELINE 1995: Secure Sockets Layer 2.0, Netscape 1996: SSL 3.0, still Netscape 1999: Transport Layer Security 1.0, IETF
  12. 12. TIMELINE 1995: Secure Sockets Layer 2.0, Netscape 1996: SSL 3.0, still Netscape 1999: Transport Layer Security 1.0, IETF 2006: TLS 1.1
  13. 13. TIMELINE 1995: Secure Sockets Layer 2.0, Netscape 1996: SSL 3.0, still Netscape 1999: Transport Layer Security 1.0, IETF 2006: TLS 1.1 2008: TLS 1.2
  14. 14. 2013
  15. 15. 2013 • newfound scrutiny
  16. 16. 2013 • newfound scrutiny • browsers add TLS 1.2
  17. 17. 2013 • newfound scrutiny • browsers add TLS 1.2 • just using TLS not enough
  18. 18. TLS
  19. 19. TLS • identity
  20. 20. TLS • identity • confidentiality
  21. 21. TLS • identity • confidentiality • integrity
  22. 22. TLS HYGIENE
  23. 23. SERVERS
  24. 24. BE UP-TO-DATE • OpenSSL >= 1.0.1c • Apache >= 2.4.0 • nginx >= 1.0.6 or 1.1.0
  25. 25. BE UP-TO-DATE • OpenSSL >= 1.0.1c • Apache >= 2.4.0 • nginx >= 1.0.6 or 1.1.0 g
  26. 26. CERTIFICATES • identity • validity
  27. 27. CERTIFICATES • identity • validity • CA sig
  28. 28. CERTIFICATES • identity • validity • CA sig
  29. 29. CERTIFICATES • identity • validity • CA sig
  30. 30. CERTIFICATES • identity • validity • CA sig
  31. 31. CERTIFICATES • identity • validity • CA sig
  32. 32. EXTENDED VALIDATION CERTIFICATES
  33. 33. EXTENDED VALIDATION CERTIFICATES
  34. 34. TRUST CHAIN
  35. 35. TRUST CHAIN
  36. 36. TRUST CHAIN
  37. 37. CERTIFICATES • trust chain
  38. 38. CERTIFICATES • trust chain • host name/service
  39. 39. CERTIFICATES • trust chain • host name/service • already/still valid?
  40. 40. DISABLE • SSL 2.0
  41. 41. DISABLE • SSL 2.0 • SSL 3.0 (if you can)
  42. 42. DISABLE • SSL 2.0 • SSL 3.0 (if you can) • TLS compression
  43. 43. CIPHER SUITES
  44. 44. CIPHER
  45. 45. CIPHER Cipher
  46. 46. CIPHER CipherPlaintext
  47. 47. CIPHER CipherPlaintext
  48. 48. CIPHER Cipher CiphertextPlaintext
  49. 49. Ciphertext CIPHER Cipher Plaintext
  50. 50. CIPHER: MODE
  51. 51. CIPHER: MODE • CBC
  52. 52. CIPHER: MODE • CBC • stream ciphers
  53. 53. CIPHER: MODE • CBC • stream ciphers • GCM
  54. 54. ENCRYPTION: PREFER THIS
  55. 55. ENCRYPTION: PREFER THIS AES128-GCM &
  56. 56. ENCRYPTION: PREFER THIS AES128-GCM & ChaCha20
  57. 57. ENCRYPTION: FALL BACK TO AES128-CBC
  58. 58. ENCRYPTION: IF LIFE IS CRUEL TO YOU 3DES-CBC
  59. 59. ENCRYPTION: EOL
  60. 60. ENCRYPTION: DANGEROUS • EXP-*
  61. 61. ENCRYPTION: DANGEROUS • EXP-* • DES
  62. 62. ENCRYPTION: DANGEROUS • EXP-* • DES • RC4
  63. 63. ENCRYPTION: DANGEROUS • EXP-* • DES • RC4
  64. 64. KEY EXCHANGE
  65. 65. KEY EXCHANGE fast PFS RSA ✔️ ❌
  66. 66. KEY EXCHANGE fast PFS RSA ✔️ ❌ DHE ❌ ✔️
  67. 67. KEY EXCHANGE fast PFS RSA ✔️ ❌ DHE ❌ ✔️ ECDHE ✔️ ✔️
  68. 68. KEY EXCHANGE fast PFS RSA ✔️ ❌ DHE ❌ ✔️ ECDHE ✔️ ✔️
  69. 69. INTEGRITY: MACS • Message Authentication Code
  70. 70. INTEGRITY: MACS • Message Authentication Code • HMAC
  71. 71. INTEGRITY: MACS • Message Authentication Code • HMAC • GCM
  72. 72. HAVE THE LAST WORD
  73. 73. YOU’RE DONE!
  74. 74. YOU’RE DONE! (but test your results!)
  75. 75. CERTIFICATE
  76. 76. CERTIFICATE
  77. 77. CERTIFICATE
  78. 78. CERTIFICATE
  79. 79. CERTIFICATE
  80. 80. CERTIFICATE
  81. 81. CERTIFICATE
  82. 82. PROTOCOLS
  83. 83. PROTOCOLS
  84. 84. PROTOCOLS
  85. 85. PROTOCOLS
  86. 86. CIPHER SUITES
  87. 87. CIPHER SUITES
  88. 88. CIPHER SUITES
  89. 89. CIPHER SUITES
  90. 90. CIPHER SUITES
  91. 91. CIPHER SUITES
  92. 92. CIPHER SUITES
  93. 93. CIPHER SUITES
  94. 94. CLIENTS
  95. 95. YOU HAD ONE JOB!
  96. 96. YOU HAD ONE JOB! VERIFY!
  97. 97. VERIFY THE CERTIFICATE! • valid?
  98. 98. VERIFY THE CERTIFICATE! • valid? • trustworthy chain?
  99. 99. VERIFY THE CERTIFICATE! • valid? • trustworthy chain? • correct hostname/service?
  100. 100. TRUST CHAIN
  101. 101. TRUST CHAIN • VERIFY_PEER
  102. 102. TRUST CHAIN • VERIFY_PEER • trust stores OS dependent
  103. 103. TRUST CHAIN • VERIFY_PEER • trust stores OS dependent • SSL_CTX_set_default_ verify_paths
  104. 104. SYSTEM CA • FreeBSD: ca_root_nss
  105. 105. SYSTEM CA • FreeBSD: ca_root_nss • debian/Red Hat: ca-certificates
  106. 106. SYSTEM CA • FreeBSD: ca_root_nss • debian/Red Hat: ca-certificates • OS X: TEA or homebrew
  107. 107. SYSTEM CA • FreeBSD: ca_root_nss • debian/Red Hat: ca-certificates • OS X: TEA or homebrew • Windows: wincertstore
  108. 108. SYSTEM CA • FreeBSD: ca_root_nss • debian/Red Hat: ca-certificates • OS X: TEA or homebrew • Windows: wincertstore • or: Mozilla/certifi
  109. 109. HOSTNAME VERIFICATION OpenSSL to developers:
  110. 110. HOSTNAME VERIFICATION OpenSSL to developers: LOL
  111. 111. DON’T VERIFY TRUST CHAIN I can pretend to be Google with any self-signed certificate.
  112. 112. DON’T VERIFY HOSTNAME I can pretend to be Google with any valid certificate.
  113. 113. SET SOME OPTIONS • acceptable ciphers • disable SSL 2.0
  114. 114. THAT’S ALL!
  115. 115. USERS
  116. 116. FUNDAMENTAL MISCONCEPTIONS
  117. 117. FUNDAMENTAL MISCONCEPTIONS • no end-to-end security
  118. 118. FUNDAMENTAL MISCONCEPTIONS • no end-to-end security • metadata
  119. 119. VPN?
  120. 120. VPN? • sees all your traffic
  121. 121. VPN? • sees all your traffic • same for CDN
  122. 122. CERTIFICATE WARNINIGS
  123. 123. CERTIFICATE WARNINIGS
  124. 124. ROOT CERTIFICATE POISONING
  125. 125. TRUST ISSUES
  126. 126. TRUST ISSUES
  127. 127. TRUST ISSUES
  128. 128. TRUST ISSUES
  129. 129. TRUST ISSUES • hacked
  130. 130. TRUST ISSUES • hacked • screw up
  131. 131. TRUST ISSUES • hacked • screw up • court orders
  132. 132. TRUST ISSUES • hacked • screw up • court orders • big corp
  133. 133. DON’T DO IT YOURSELF IF YOU CAN HELP IT. Rule of Thumb
  134. 134. STANDARD LIBRARY VS. PYOPENSSL
  135. 135. STANDARD LIBRARY
  136. 136. STANDARD LIBRARY • terrible pre-3.3
  137. 137. STANDARD LIBRARY • terrible pre-3.3 • very incomplete in 2.7
  138. 138. STANDARD LIBRARY • terrible pre-3.3 • very incomplete in 2.7 • PFS impossible
  139. 139. STANDARD LIBRARY • terrible pre-3.3 • very incomplete in 2.7 • PFS impossible • missing options
  140. 140. STANDARD LIBRARY • terrible pre-3.3 • very incomplete in 2.7 • PFS impossible • missing options • bound to Python’s OpenSSL
  141. 141. HOSTNAME VERIFICATION 3.2– from ssl import match_hostname 2.4–2.7 pip install backports.ssl_match_hostname
  142. 142. PYOPENSSL
  143. 143. PYOPENSSL • Python 2.6+, 3.2+, and PyPy
  144. 144. PYOPENSSL • Python 2.6+, 3.2+, and PyPy • more complete API coverage
  145. 145. PYOPENSSL • Python 2.6+, 3.2+, and PyPy • more complete API coverage • PyCA cryptography!
  146. 146. CRYPTOGRAPHY.IO
  147. 147. CRYPTOGRAPHY.IO • Python crypto w/o footguns
  148. 148. CRYPTOGRAPHY.IO • Python crypto w/o footguns • PyCA
  149. 149. CRYPTOGRAPHY.IO • Python crypto w/o footguns • PyCA • PyPy ♥ CFFI
  150. 150. CRYPTOGRAPHY.IO • Python crypto w/o footguns • PyCA • PyPy ♥ CFFI • gives pyOpenSSL momentum
  151. 151. HOSTNAME VERIFICATION service_identity
  152. 152. LIBRARIES & FRAMEWORKS
  153. 153. SERVERS lib PFS good defaults configurable eventlet hybrid ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ gunicorn depends ❌ ❌ ❌ Tornado stdlib ❌ ❌ ❌
  154. 154. SERVERS lib PFS good defaults configurable eventlet hybrid ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ gunicorn depends ❌ ❌ ❌ Tornado stdlib ❌ ❌ ❌ Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️
  155. 155. SERVERS lib PFS good defaults configurable eventlet hybrid ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ gunicorn depends ❌ ❌ ❌ Tornado stdlib ❌ ❌ ❌ Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️ uWSGI own C code ✔️ ❌ ✔️
  156. 156. SERVERS lib PFS good defaults configurable eventlet hybrid ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ gunicorn depends ❌ ❌ ❌ Tornado stdlib ❌ ❌ ❌ Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️ uWSGI own C code ✔️ ❌ ✔️
  157. 157. CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌
  158. 158. CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ Tornado stdlib ✔️ ✔️ ❌
  159. 159. CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ Tornado stdlib ✔️ ✔️ ❌ Twisted 14.0 pyOpenSSL depends depends ✔️
  160. 160. CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ Tornado stdlib ✔️ ✔️ ❌ Twisted 14.0 pyOpenSSL depends depends ✔️ urllib2 stdlib ❌ ❌ ❌
  161. 161. CLIENTS lib verifies certificates verifies hostnames good defaults eventlet hybrid ❌ ❌ ❌ gevent stdlib ❌ ❌ ❌ Tornado stdlib ✔️ ✔️ ❌ Twisted 14.0 pyOpenSSL depends depends ✔️ urllib2 stdlib ❌ ❌ ❌ urllib3/requests hybrid ✔️ ✔️ ✔️
  162. 162. SUMMARY
  163. 163. SUMMARY • keep TLS out of Python if you can
  164. 164. SUMMARY • keep TLS out of Python if you can • use pyOpenSSL-powered requests for HTTPS
  165. 165. SUMMARY • keep TLS out of Python if you can • use pyOpenSSL-powered requests for HTTPS • write servers in Twisted
  166. 166. SUMMARY • keep TLS out of Python if you can • use pyOpenSSL-powered requests for HTTPS • write servers in Twisted • use pyOpenSSL
  167. 167. SUMMARY • keep TLS out of Python if you can • use pyOpenSSL-powered requests for HTTPS • write servers in Twisted • use pyOpenSSL • use Python 2 stdlib only for clients
  168. 168. WHY SORRY?
  169. 169. IMPLEMENTATIONS
  170. 170. IMPLEMENTATIONS
  171. 171. USERS
  172. 172. USERS • run outdated software
  173. 173. USERS • run outdated software • click certificate warnings away
  174. 174. USERS • run outdated software • click certificate warnings away • are at the mercy of 3rd parties
  175. 175. SERVERS
  176. 176. SERVERS
  177. 177. CLIENTS
  178. 178. PYTHON Is at the forefront of terrible.
  179. 179. HOPE
  180. 180. HOPE • people care again
  181. 181. HOPE • people care again • stdlib
  182. 182. HOPE • people care again • stdlib • PyCA
  183. 183. CALLS TO ACTION
  184. 184. CALLS TO ACTION
  185. 185. CALLS TO ACTION
  186. 186. CALLS TO ACTION
  187. 187. CALLS TO ACTION
  188. 188. ox.cx/t @hynek vrmd.de

×