BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Why the dislike of X.509?
- Subject: [Discuss] Why the dislike of X.509?
- From: bill.n1vux at gmail.com (Bill Ricker)
- Date: Mon, 25 Aug 2014 17:29:56 -0400
- In-reply-to: <0845c2f06bdfb047ff0ff737c5030884.squirrel@mail.mohawksoft.com>
- References: <53F9F6B9.4060505@stephenadler.com> <20140824161132.GE14848@randomstring.org> <be314521ab6bebb6add54d706b042f01.squirrel@mail.mohawksoft.com> <53FA1C3B.70908@gmail.com> <53FB19E5.4080602@aeminium.org> <53FB4A5D.2030305@gmail.com> <CA+h9Qs5GnC6d1ejBQC=crtHwxoDiFWo4Kn+xjt0eiA8Kr733_A@mail.gmail.com> <53FB70E6.50706@gmail.com> <CAAbKA3VMpFi37aJ2510XXUYLQu4qEMPYfhDWU6aBd9oXGnTcNw@mail.gmail.com> <023d694b896d29f060da27a977f040d4.squirrel@mail.mohawksoft.com> <CAAbKA3UoGjuzruNgOHXQBNxXP5xkKk-drZEYfc+83HSpg6mxMg@mail.gmail.com> <0845c2f06bdfb047ff0ff737c5030884.squirrel@mail.mohawksoft.com>
On Mon, Aug 25, 2014 at 4:04 PM, <markw at mohawksoft.com> wrote: >> That a VPN doesn't require or apparently use the installed 'default >> "trusted" CAs' doesn't necessarily mean it successfully ignores them. > The openssl library knows nothing about trusted CAs in browsers. You can > look at the source code. Good. Let's take that as stipulated, openssl doesn't know about browser root key store. ( this leaves unasked, Does it know about OS key store on OSs that have such? I'll assume we stipulate that it doesn't. That requires each browser on that OS to hook the store, which someone might have optimized.) Did OpenVPN use openssl on all platforms ? Or does it #IFDEF a native binding anywhere? Did they cut-and-paste code from a browser proof-of-concept that will hoover up roots if loaded? Need to read the VPN code too to know there isn't a flaw. Or test it. > You can trace the execution with a debugger. That tells me what it does here and now, doesn't tell me what it does with hostile bad data until i make some hostile data. >> If it uses the same SSL library as a browser -- on any platform -- >> that assertion has to be demonstrated to be true. > I'm not sure I agree with your logic. There is no connection between > openssl and the browsers trusted CAs, they are implemented in the browser > code. openssl provides the means by which this is implemented but contains > no implementation. I'm not talking about openssl in isolation. I'm not yet even assuming OpenVPN (always) uses that lib. I'm not restricting myself to OpenVPN brand VPN since this thread restarted with X509 topic line. And any other brand VPNs do whatever they want. For extreme degree of trust, you need to know. All the way down. For a degree of trust on par with DNS, IPv4, BGP: what the heck, just use it. >> I hope you're right. Hope is not good enough to a security auditor. Show >> me. > Don't trust me, look at the code. Yes: 'show me' means reading the code. And the test cases. We've seen enough failures in Crypto implementation that i don't even 'Trust but Verify' with crypto. [ /Doveryai no Proveryai/ as Gorbachev taught us to say. It is funnier in the original Russian ! ] With crypto code, has to be Verify before any Trust. I will take as stipulated you've read the openssl code and that i'd see the same if i took the time. If you're certain from having read OpenVPN repo, we can also stipulate that OpenVPN never #IFDEF's a native lib and didn't cut*an*paste initialization code from a sample baby browser that reads OS roots if there are any. >> I share Rich's concern about Key Escrow anytime, anywhere, and >> understand why VPN and/or PKI smells similar to him. > I don't like the default browser keys either, but this isn't that issue. You *should* be correct that default keys won't affect OpenVPN; as i said above, *If* you've read their code too, i'll happily stipulate for it you're correct. I hope it doesn't affect ${other}VPN either, but with closed source who knows ! IIRC there are VPNs and VDTs that use browsers to frame the session; they may well use browser SSL implementation. Good luck with that ! Rich's concern seems to be different, that any central store is less trustworthy than distributed/compartmentalized, in part due to damage limitation or lack thereof. That isn't specific to OpenVPN either. That's a usability vs security, choice-of-threat-weighting. In practicality, we'll do it anyway, but in pure security PoV, i see Rich's point. -- Bill Ricker bill.n1vux at gmail.com https://www.linkedin.com/in/n1vux
- Follow-Ups:
- [Discuss] Why the dislike of X.509?
- From: markw at mohawksoft.com (markw at mohawksoft.com)
- [Discuss] Why the dislike of X.509?
- References:
- [Discuss] vnc
- From: adler at stephenadler.com (Stephen Adler)
- [Discuss] vnc
- From: dsr at randomstring.org (Dan Ritter)
- [Discuss] vnc
- From: markw at mohawksoft.com (markw at mohawksoft.com)
- [Discuss] vnc
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] vnc
- From: nuno at aeminium.org (Nuno Sucena Almeida)
- [Discuss] Why the dislike of X.509?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Why the dislike of X.509?
- From: jabr at blu.org (John Abreau)
- [Discuss] Why the dislike of X.509?
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] Why the dislike of X.509?
- From: bill.n1vux at gmail.com (Bill Ricker)
- [Discuss] Why the dislike of X.509?
- From: markw at mohawksoft.com (markw at mohawksoft.com)
- [Discuss] Why the dislike of X.509?
- From: bill.n1vux at gmail.com (Bill Ricker)
- [Discuss] Why the dislike of X.509?
- From: markw at mohawksoft.com (markw at mohawksoft.com)
- [Discuss] vnc
- Prev by Date: [Discuss] Why the dislike of X.509?
- Next by Date: [Discuss] Why the dislike of X.509?
- Previous by thread: [Discuss] Why the dislike of X.509?
- Next by thread: [Discuss] Why the dislike of X.509?
- Index(es):