Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 99597 invoked from network); 11 Oct 2008 13:07:28 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 11 Oct 2008 13:07:28 -0000 Received: (qmail 75465 invoked by uid 500); 11 Oct 2008 13:07:20 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 75411 invoked by uid 500); 11 Oct 2008 13:07:20 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 75402 invoked by uid 99); 11 Oct 2008 13:07:20 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 11 Oct 2008 06:07:20 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [88.198.58.135] (HELO goten.sonance.net) (88.198.58.135) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 11 Oct 2008 13:06:16 +0000 Received: from localhost (localhost.localdomain [127.0.0.1]) by goten.sonance.net (Postfix) with ESMTP id 9291E57B2D; Sat, 11 Oct 2008 15:06:19 +0200 (CEST) Received: from goten.sonance.net ([127.0.0.1]) by localhost (goten.sonance.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WCMfBGf501eC; Sat, 11 Oct 2008 15:06:19 +0200 (CEST) Received: from slim.local (localhost.localdomain [127.0.0.1]) by goten.sonance.net (Postfix) with ESMTP id 0D50C57B26; Sat, 11 Oct 2008 15:06:19 +0200 (CEST) Message-ID: <48F0A4CA.2070403@iang.org> Date: Sat, 11 Oct 2008 15:06:18 +0200 From: Ian G User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: dev Digest 11 Oct 2008 02:09:18 -0000 Issue 2699 References: <1223690958.22701.ezmlm@httpd.apache.org> In-Reply-To: <1223690958.22701.ezmlm@httpd.apache.org> X-Enigmail-Version: 0.95.7 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms050408070709020005080106" X-Virus-Checked: Checked by ClamAV on apache.org This is a cryptographically signed message in MIME format. --------------ms050408070709020005080106 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit dev-digest-help@httpd.apache.org wrote: > ------------------------------------------------------------------------ > From: > "Eric Covener" > On Thu, Oct 9, 2008 at 5:59 AM, Ian G wrote: >> >>> As we all know, this will not be in 2.2.10... Please recall that >>> things must be in -trunk before being viable for backport to 2.2.x. >> It's impossible to even express how disappointing this is ;( >> >> There are only two changes in TLS on the server side that have been >> identified to have any effect on phishing [1]. TLS/SNI is the easy one. > > What's the effect beyond making mass-vhosting easier? Good question, and I'm afraid the answer is long and complex. The intent is to break the vicious cycle that holds TLS authentication down. You've probably seen it a dozen times, at least, I have: Every time one of the Linux admins tries to set up an SSL webserver (because some management flunkie like me thumps the desk), they discover they can set up only one server for one website on their one machine. When they get through that barrier, they cannot do the same for every other website they maintain. So TLS knowledge is special, because it is non-shareable across their many web sites; eventually, it becomes a specialisation, only done if desperate or if paid. Out in the LAMPs world, nobody wants SSL because of this lack of an easy "fix" to the installation addiction. This lack of desire flows through across the entire package world; where they do security by cookies, mail, passwords, voodoo .. anything that can be done that is totally controlled by the app; they avoid anything that requires other things, like TLS/SNI. E.g., many packages mangle URLs if HTTPS is used ... because nobody does that. Nobody's going to fix it because they believe that security is in own-code, not code elsewhere. Vicious circle. The result is that the whole field is limited, specialised, shy and expensive. So when something like Phishing -- which is an authentication failure -- came along in 2003 there weren't the smarts nor the people around to fix it. Even now, someone well funded like Mozilla only has around 2-4 people working on it, and Microsoft doesn't prioritise it at all (but also don't reveal what they are not doing). Why so few? Nobody understands it. In application space, vanishingly few people understand TLS, let alone authentication at the TLS level. Why do so few understand what the TLS authentication is about? Because nobody uses TLS in routine business, it's all Flash, Javascript, mySQL, etc etc. Why not? These reasons: * one TLS-website per machine is not worth the trouble * getting a cert is a nightmare, techs don't do paperwork * configuration issues... Releasing these blockages will break the vicious circle; until there is mass usage of TLS, the mass Linux market will not believe it is useful, nor will they think it secures them. When there is mass usage, the use of authentication will be routine, and we will have a systemic response to phishing. >> A httpd fix will almost work by itself; the browsers already did >> their part [2]. Only the config changes implemented by all here are >> needed on the web server to turn the LAMPs on in a million small but >> secured sites. > > There's still the issue of certificates and CPU time. Yes (second point above), acknowledged; getting a CA-signed cert is too much grief for a Linux techie to go through. It simply doesn't make sense to do that, unless desperate, paid or some other syndrome. However there are three responses emerging to that: 1. A few CAs now do free certs (I have been involved with one of them for 2.5 years, perhaps only so that we can get the lights turned on for secure browsing). 2. Client side changes. Mozilla are now working to add what they call KCM or Key Continuity Management to Firefox so that sites using self-signed certs can also work effectively. This is directly for the above Linux crowd with their million machines and dozens of small websites. Microsoft is working in different ways which achieve the same thing -- they are not saying it directly, but if you read up on the CardKey product, it is designed to accomodate the concepts of KCM. Of course, they are trying to be higher up on the food chain, but the architectural direction is the same, because they also have discovered that they can only secure users when the users bootstrap up into TLS. 3. The world of browser certificates is splitting into "hard certs" and "easy certs". This might be "EV" and "the others" although it's still an argument-in-progress. All three of these forces come from a desire *to make certs easier to get* because those who are working on the security side of client software have realised that TLS is used too infrequently, and this makes phishing easy. All of these things are oriented to breaking the vicious cycle of TLS authentication unavailability. CPU time can be ignored for this discussion: * Moore's law halves the cost every 18 months. * It might remain an issue for big sites, but that is a vanishingly small number of servers *and* people out there, when we think about the mass market of httpd. * The big iron sites are well-balanced economic businesses and they can and will easily pay for any CPU they need. The LAMPs people can't get it at the price they can afford -- their time across all their tasks and their one machine. These are who I am concerned about. They don't care about CPU because most of them are humming along at nothing CPU, they are happy to increase the CPU demands, because like disk space, that's one thing that is cheaper than thinking about. >> What are the blockages? Mozo have offered money but don't know what >> to do or who to talk to? > > Review has been public. Nobody's opposed to SNI in the webserver, but > AIUI the patch that implements it seems to have a troubled history > with respect to integrating with all the per-directory quriks of SSL > renegotiation in mod_ssl. > > IMO the merits of SNI isn't the operative argument. Agreed all [1]. What can be done to make the patch less troubled? Money is still an option even if it isn't the right one [2]. iang [1] to be frank, I told Mozilla when they offered a few weeks back that money wasn't the answer; the code has been done, it is in review, and now we wait. There is "nobody" to give money too, as money can sometimes help code, but not review, especially. [2] NLnet will also treat a request favourably, I am told, so that is two foundations that are keen. If you think review and backporting or whatever is helped by flying people together or shifting people of jobs for money, say so. --------------ms050408070709020005080106 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKTDCC BSIwggMKoAMCAQICAwM0eDANBgkqhkiG9w0BAQUFADB5MRAwDgYDVQQKEwdSb290IENBMR4w HAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmlu ZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0wNzAy MDcxMTE2NTdaFw0wOTAyMDYxMTE2NTdaMDIxEjAQBgNVBAMTCUlhbiBHcmlnZzEcMBoGCSqG SIb3DQEJARYNaWFuZ0BpYW5nLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AK0O5m4v9AP+aW5pvp2MKrRwjHoPcvKaPVwTMBjEqLX5ZqJ3Qfo53UgPLVumSNorsf7wSkGI 1y5Slk+qnYAwNXuDq00OXGsjp1W064xCt1LneH8mHwkAjqMyR07omnYHkLqEmNSI0iLxPMvJ viJQvgYAyZdKENm0LbpYKd8PZSgVOenJwtSyGXOWg7fxbMNyfnEKrh8CIDwpaqy5pu5GyIFW PfO+MFGI1VoPiPr/cp/a+7lx72SVMCPu8FGDVuEpoEKiazKpbgnde5V6YHFu8kdZQ3BbDBqP AO8Df97m1La+QdnsT4WkDPg7SkIgaSWkMv9Pce6ZEwz1GK/dI8txH2kCAwEAAaOB+TCB9jAM BgNVHRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNh dGUgZm9yIEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzBABgNVHSUE OTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCGSAGG +EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2VydC5v cmcwGAYDVR0RBBEwD4ENaWFuZ0BpYW5nLm9yZzANBgkqhkiG9w0BAQUFAAOCAgEAzEssr0pe bdoHxO9fXP9FRzDBbsEqCsfVhkg2Ua1WjnbFyx/tsa2mn8D6MD4J5ifxEhrRsa4DbEOMpgUY 96u4Hwer57EhjwGe9Z6eeQEwrT2Mkxsxn+sdMn7s9kGyiYsyr1iXEX46Mq+fFCuOzUHU/6A7 IlrKxU9SG+u8dgUeXdcqCzLPddQgQ6jybB6gJHIkLTzqOTBKFZOywz5W3U3ML5/46uQ6OlN6 WaQxSSwHQKkNSiKs0S4+c86kBbYDv0fPMyj/yFOIs1AOlJHM7y+wvjNGkWYLcEnnebqgbvfg hohuqmRP+LJ9TN7yO/G/6PBGJs0hiVs5OLvHpGB0df1+iLFIHYimV8rNIpHBj4SDA6DIEMXt wLMDIcAuPamNRM4yarIl+JsSUCak2bX2h8qRldJti+RtCBJ8RGFFGrL3z+sC/9tzD58pJ0tP uvRuY062uUy4qFHseFkA5YXbI9OG+ClK4JQS2alSoBZaiR9elT5JQwvDNW8vxwIYAWl9FMVO nGZd0XPD3UQEP0jHBhn82IcN3sXPzEtVVQCkJQYFEh0sydbQR8iuTH5zE0yL6rjHo+eAZzGT dtfiV1hm+DFD08DBvSrkf4wW67uaUcr5qeAWeqda/LCEA2/zOcEwOtE51EcdtGyekseONh45 lp/j+a4IrY4H2TNvVJSN1F0IzacwggUiMIIDCqADAgECAgMDNHgwDQYJKoZIhvcNAQEFBQAw eTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIw IAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBw b3J0QGNhY2VydC5vcmcwHhcNMDcwMjA3MTExNjU3WhcNMDkwMjA2MTExNjU3WjAyMRIwEAYD VQQDEwlJYW4gR3JpZ2cxHDAaBgkqhkiG9w0BCQEWDWlhbmdAaWFuZy5vcmcwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtDuZuL/QD/mluab6djCq0cIx6D3Lymj1cEzAYxKi1 +Waid0H6Od1IDy1bpkjaK7H+8EpBiNcuUpZPqp2AMDV7g6tNDlxrI6dVtOuMQrdS53h/Jh8J AI6jMkdO6Jp2B5C6hJjUiNIi8TzLyb4iUL4GAMmXShDZtC26WCnfD2UoFTnpycLUshlzloO3 8WzDcn5xCq4fAiA8KWqsuabuRsiBVj3zvjBRiNVaD4j6/3Kf2vu5ce9klTAj7vBRg1bhKaBC omsyqW4J3XuVemBxbvJHWUNwWwwajwDvA3/e5tS2vkHZ7E+FpAz4O0pCIGklpDL/T3HumRMM 9Riv3SPLcR9pAgMBAAGjgfkwgfYwDAYDVR0TAQH/BAIwADBWBglghkgBhvhCAQ0ESRZHVG8g Z2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQgb3ZlciB0byBodHRwOi8v d3d3LkNBY2VydC5vcmcwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEEAYI3 CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAB hhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMBgGA1UdEQQRMA+BDWlhbmdAaWFuZy5vcmcwDQYJ KoZIhvcNAQEFBQADggIBAMxLLK9KXm3aB8TvX1z/RUcwwW7BKgrH1YZINlGtVo52xcsf7bGt pp/A+jA+CeYn8RIa0bGuA2xDjKYFGPeruB8Hq+exIY8BnvWennkBMK09jJMbMZ/rHTJ+7PZB somLMq9YlxF+OjKvnxQrjs1B1P+gOyJaysVPUhvrvHYFHl3XKgsyz3XUIEOo8mweoCRyJC08 6jkwShWTssM+Vt1NzC+f+OrkOjpTelmkMUksB0CpDUoirNEuPnPOpAW2A79HzzMo/8hTiLNQ DpSRzO8vsL4zRpFmC3BJ53m6oG734IaIbqpkT/iyfUze8jvxv+jwRibNIYlbOTi7x6RgdHX9 foixSB2IplfKzSKRwY+EgwOgyBDF7cCzAyHALj2pjUTOMmqyJfibElAmpNm19ofKkZXSbYvk bQgSfERhRRqy98/rAv/bcw+fKSdLT7r0bmNOtrlMuKhR7HhZAOWF2yPThvgpSuCUEtmpUqAW WokfXpU+SUMLwzVvL8cCGAFpfRTFTpxmXdFzw91EBD9IxwYZ/NiHDd7Fz8xLVVUApCUGBRId LMnW0EfIrkx+cxNMi+q4x6PngGcxk3bX4ldYZvgxQ9PAwb0q5H+MFuu7mlHK+angFnqnWvyw hANv8znBMDrROdRHHbRsnpLHjjYeOZaf4/muCK2OB9kzb1SUjdRdCM2nMYIDhzCCA4MCAQEw gYAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3Jn MSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJz dXBwb3J0QGNhY2VydC5vcmcCAwM0eDAJBgUrDgMCGgUAoIIB2zAYBgkqhkiG9w0BCQMxCwYJ KoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wODEwMTExMzA2MThaMCMGCSqGSIb3DQEJBDEW BBQh0D8xB6zCvrCyFqaq8alDI/cV/TBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4G CCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCB kQYJKwYBBAGCNxAEMYGDMIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6 Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEh MB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMDNHgwgZMGCyqGSIb3DQEJEAIL MYGDoIGAMHkxEDAOBgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0 Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ ARYSc3VwcG9ydEBjYWNlcnQub3JnAgMDNHgwDQYJKoZIhvcNAQEBBQAEggEAh9l7JVnak0mU iGgov50AD+6lIKMn8rmdA+pZPc7j0pKytT/hGteWrHnNtRckKz5+sy4gMDWo+pvCPGaY6HYM DVPHupsebUbPCEIDH33igpk4HhVoH0jov2fESgUkOHJfXuvT3Xce9r8m7koDhsC+SDrqHzCn FmV95dGQj3qoXjbUrQjdfiwNXK0zt4j0hL9F/dnkG3u7IAFJyuuqJurNpMrWZLLaHC+frUNw f2FEGNt8RvoqB8LoPhXtN2FJiKX/jenOui7v61yDw4Nw7YGEwUD9ykZwaCZ+/KwtVIaQl9ks KetukmzVSF8dDOiP5jn8zIo4xfBIxzALO6fKyxCYjQAAAAAAAA== --------------ms050408070709020005080106--