Ivan Ristić

Recently, at work, we spent a decent chunk of time trying to come up with a good name for a project. It's tough. As part of the process I came up with a list of things to take into account. I am posting it here as a way of remembering it, and hopefully it will be useful to others.

A good name should be:

• Interesting
• Meaningful
• One word, short and memorable
• Not a trademark (registered or not)
• Not already in use for something else very popular
• Search produces few results
• The .com domain name available
• Easy to pronounce and spell; difficult to misspell
• Sounds good
• Unique (because you want to build a brand around the name)
• Not generic (cannot be trademarked; difficult to find on a search engine)
• People would wear it on a t-shirt
• Can be paired with a good symbol or mascot
• Does not have negative connotations (in any major languages, including slang)

If you are looking for inspiration, try Impossibility, which is a combined name generator and domain name check in one. Very useful.

This is such a good summary of the current state of SSL in web servers from Adam Langley, that I couldn't resist preserving it here in full. Enjoy.

Network Working Group                                         A. Langley
Internet-Draft                                                Google Inc
Expires: July 5, 2011                                           Jan 2011


            Unfortunate current practices for HTTP over TLS
                      draft-agl-tls-oppractices-00

Abstract

   This document describes some of the unfortunate current practices
   which are needed in order to transport HTTP over TLS on the public
   Internet.

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on July 5, 2011.

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the BSD License.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Handshake message fragmentation  . . . . . . . . . . . . . . .  4
   3.  Protocol Fallback  . . . . . . . . . . . . . . . . . . . . . .  5
   4.  More implementation mistakes . . . . . . . . . . . . . . . . .  6
   5.  Certificate Chains . . . . . . . . . . . . . . . . . . . . . .  7
   6.  Insufficient Security  . . . . . . . . . . . . . . . . . . . .  8
   7.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  9
   8.  Normative References . . . . . . . . . . . . . . . . . . . . . 10
   Appendix A.  Changes . . . . . . . . . . . . . . . . . . . . . . . 11
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12


1.  Introduction

   HTTP [RFC2616] is one of the most common application level protocols
   transported over TLS [RFC5246].  (This combination is commonly known
   as HTTPS based on the URL scheme used to indicate it.)  HTTPS clients
   have to function with a huge range of TLS implementations, some of
   higher quality than others.  This text aims to document some of the
   behaviours of existing HTTPS clients that are designed to ensure
   maximum interoperability.

   This text should not be taken as a recommendation that future HTTPS
   clients adopt these behaviours.  The security implications of each
   need to be carefully considered by each implementation.  However,
   these behaviours are common and the authors consider it better to
   document the state of practice than to simply wish it were otherwise.


2.  Handshake message fragmentation

   Many servers will fail to process a handshake message that spans more
   than one record.  These servers will close the connection when they
   encounter such a handshake message.  HTTPS clients will commonly
   ensure against that by either packing all handshake messages in a
   flow into a single record, or by creating a single record for each
   handshake message.


3.  Protocol Fallback

   Despite it being nearly twelve years since the publication of TLS 1.0
   [RFC2246], around 3% of HTTPS servers will reject a valid TLS
   "ClientHello".  These rejections can take the form of immediately
   closing the connection or a fatal alert.  Intolerance to the
   following has been observed:

      Advertising version TLS 1.0.

      Advertising a TLS version greater than TLS 1.0 (around 2% for 1.1
      or 1.2, around 3% for greater than 1.2).

      Advertising a version greater than 0x03ff (around 65% of servers)

      The presence of any extensions (around 7% of servers)

      The presence of specific extensions ("server_name" and
      "status_request" intolerance has been observed, although in very
      low numbers).

      The presence of any advertised compression algorithms

   Next, some servers will misbehave after processing the "ClientHello"
   message.  Negotiating the use of "DEFLATE" compression can result in
   fatal "bad_record_mac", "decompression_failure" or
   "decryption_failed" alerts.  Notably, OpenSSL prior to version 0.9.8c
   will intermittently fail to process compressed finished messages due
   to a work around of a previous padding bug.

   Lastly, some servers will negotiate the use of SSLv3 but select a
   TLS-only cipher suite.

   In all these cases, HTTPS clients will often enter a fallback mode.
   The connection is retried using only SSLv3 and without advertising
   any compression algorithms.  (This is obviously an easy downgrade
   attack.)  Also, the fallback can be triggered by transient network
   problems, which often manifest as an abruptly closed connection.
   Since SSLv3 does not provide any means of Server Name Indication
   [RFC3546], the fallback connection can use the wrong certificate
   chain, resulting in a very surprising certificate error.


4.  More implementation mistakes

   Non-fatal errors in version negotiation also occur.  Some 0.2% of
   servers use the version from the record header.  Around 0.6% of
   servers require that the version in the "ClientHello" and record
   header match in order to respect the version in the "ClientHello".  A
   very low number of servers echo whatever version the client
   advertises.

   In the event that the client supports a higher protocol version than
   the server, about 0.4% of servers require that the RSA
   "ClientKeyExchange" message include the server's protocol version.

   Some 30% of servers don't check the version in an RSA
   "ClientKeyExchange" at all.


5.  Certificate Chains

   Certificate chains presented by servers will commonly be missing
   intermediate certificates, have certificates in the wrong order and
   will include unrelated, superfluous certificates.  Servers have been
   observed presenting more than ten certificates in what we assume is a
   drive-by shooting approach to including the correct intermediate
   certificate.

   In order to validate chains which are missing certificates, some
   HTTPS clients will collect intermediate certificates from other
   servers.  Clients will commonly put all the presented certificates
   into a set and try to validate a chain assuming only that the first
   certificate is the leaf.


6.  Insufficient Security

   Some 65% of servers support SSLv2 (beyond just supporting the
   handshake in order to upgrade to SSLv3 or TLS).  HTTPS clients will
   typically not support SSLv2, nor send SSLv2 handshakes by default.
   Of those servers, 80% support the export ciphersuites.  (Although
   about 3% of those servers negotiate weak ciphersuites only to show a
   warning.)

   Some servers will choose very small multiplicative group sizes for
   their ephemeral Diffie-Hellman exchange (for example, 256-bits).
   Some HTTPS clients will reject all multiplicative group sizes smaller
   than 512-bits while others will retry after demoting DHE ciphersuites
   in their "ClientHello".


7.  Acknowledgements

   Yngve Pettersen made significant contributions and many of the
   numbers in this document come from his scanning work.  Other numbers
   were taken from Ivan Ristic's SSL Survey.

   Thanks to Wan Teh Chang for reviewing early drafts.


8.  Normative References

   [RFC2246]  Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
              RFC 2246, January 1999.

   [RFC2616]  Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
              Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
              Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.

   [RFC3546]  Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J.,
              and T. Wright, "Transport Layer Security (TLS)
              Extensions", RFC 3546, June 2003.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

Ephemeral Diffie-Hellman key exchange (EDH or DHE, depending on where you look) allows two parties with no prior knowledge of each other to establish a shared secret. In SSL, DHE is used together with some method of authentication (most commonly RSA) in the handshake phase. Ephemeral DH is valued because it provides perfect forward secrecy -- the session keys cannot be recovered if the authentication method is broken (e.g., someone retrieves the server's private key).

DH parameters are typically generated at runtime. Because of that they are not very visible and are often forgotten during the testing. As of 1.0.69, the SSL Labs online test will examine the DH parameters and warn if they are too weak. The scoring system has been modified to take into account the strength of the DH parameters when they are used for key exchange.

Thanks to Adrian Dimcev and Brian Smith for their help with the research of DH parameter evaluation.

Figuring out how to fix security issues is one of my favourite topics. I was flattered to be invited to present this keynote talk at the DeepSec security conference in Vienna:

Stop complaining and solve a security problem instead!
We have failed. Decades of ignorance have brought us to this point, right now, where software is universally insecure. It's tempting to hope that someone else will make things better, but letting things slide is exactly what got us here. Pointing to problems is not enough, either. We must pick ourselves up, dust ourselves off, and start fixing things. We must each take a problem -- no matter how small -- and fix, or help fix, the root cause.

Here are the slides:

• Stop complaining and solve a security problem instead (PDF, 434 KB)

Thijs Kinkhorst from the Debian Security Team wrote to me in response to my recent blog post Disabling SSL renegotiation is a crutch, not a fix. I am publishing his entire comment (with permission):

It's true that Debian stable still doesn't have an openssl which supports the
new protocol enhancement, but it's definately not a refusal to fix it. First
let me note that the fix is already in the upcoming release of Debian,
codename Squeeze. The current stable release, Lenny, does not have the fix
yet, but it is being worked on; an updated openssl is ready but the blocker
currently is that we may need to implement changes in some of the packages
using it. As usual Debian is very cautious with respect to updating its stable
release. It takes a while, and it would have been nice if the fix was out
sooner, but the combination of impacted software takes quite some time and
time is one of the most sought after resources in a volunteer project.

So just so you know that the issue has not been forgotten or ignored; it only
takes "a while" to get everything in order.

Update: The fix was released on January 6, 2011.

In my job at Qualys, I am busy building the next-generation web application firewall. It's too early to talk about it right now, but we will start to reveal more information in the coming months. I can tell you that it is going to be very good, very exciting, and that a lot of it is going to be open source.

Brian Rectanus joined me in August, and I am expecting to sign the third team member in the next week or so. We have 3 additional positions open (clicking on the names will lead you to the Qualys careers web site):

• Senior Java Developer
• Senior System Test Engineer
• Application Security Research Engineer

All these positions are full time and based in Madison, Wisconsin, USA. Once we fill them, we will have a tight team of 6 whose focus will be the web application firewall itself (i.e., no user interfaces -- that aspect will be handled by a separate team). Naturally I am biased, but I cannot recommend these positions enough: they are a rare opportunity to work on something new, innovative, and fulfilling. We need people who are driven, committed to their work, and enjoy working in a team.

In addition, Qualys is a great place to work: there's no politics or middle management, just focus on getting things done, producing high quality work, and keeping our users happy.

If you're interested please apply through the web site, but please do also send me an email.

Everyone I know likes the SSL assessment tool on the SSL Labs web site, but many dislike the fact that their domain name may end up on one of the boards that display recent test history. I am assuming most wouldn't mind being on the "Recent Best-Rated" one, but you never know before the test how it's going to turn out.

That's why we now support the private assessment option. If you tick the checkbox underneath the domain name field, the test results will not be publicly revealed. Not only that, but the results will remain hidden for as long as the results remain cached.

If you intend to send links to hidden assessment results, make sure the URL contains the "hiddenResults=on" bit, which is needed to ensure that a new public test is run after the earlier results expire from the cache.