"The Sorry State of SSL" Hynek Schlawack, PyConRu 2014

THE SORRY STATE OF ССЛ

Hynek Schlawack

@hynek https://hynek.me

https://github.com/hynek

Привет!

https://www.variomedia.de

ONLY LINK

ox.cx/t

WTF

WTFSSL

WTFSSL

& TLS

TIMELINE

TIMELINE1995: Secure Sockets Layer 2.0, Netscape

TIMELINE1995: Secure Sockets Layer 2.0, Netscape

1996: SSL 3.0, still Netscape

TIMELINE1995: Secure Sockets Layer 2.0, Netscape

1996: SSL 3.0, still Netscape

1999: Transport Layer Security 1.0, IETF

TIMELINE1995: Secure Sockets Layer 2.0, Netscape

1996: SSL 3.0, still Netscape

1999: Transport Layer Security 1.0, IETF

2006: TLS 1.1

TIMELINE1995: Secure Sockets Layer 2.0, Netscape

1996: SSL 3.0, still Netscape

1999: Transport Layer Security 1.0, IETF

2006: TLS 1.1

2008: TLS 1.2

2013

2013• newfound scrutiny

2013• newfound scrutiny

• browsers add TLS 1.2

2013• newfound scrutiny

• browsers add TLS 1.2

• just using TLS not enough

TLS

TLS• identity

TLS• identity

• confidentiality

TLS• identity

• confidentiality

• integrity

TLS HYGIENE

SERVERS

BE UP-TO-DATE

• OpenSSL >= 1.0.1c

• Apache >= 2.4.0

• nginx >= 1.0.6 or 1.1.0

BE UP-TO-DATE

• OpenSSL >= 1.0.1c

• Apache >= 2.4.0

• nginx >= 1.0.6 or 1.1.0

g

CERTIFICATES

• identity• validity

CERTIFICATES

• identity• validity• CA sig

CERTIFICATES

• identity• validity• CA sig

CERTIFICATES

• identity• validity• CA sig

CERTIFICATES

• identity• validity• CA sig

CERTIFICATES

• identity• validity• CA sig

EXTENDED VALIDATION CERTIFICATES

EXTENDED VALIDATION CERTIFICATES

TRUST CHAIN

TRUST CHAIN

TRUST CHAIN

CERTIFICATES

• trust chain

CERTIFICATES

• trust chain

• host name/service

CERTIFICATES

• trust chain

• host name/service

• already/still valid?

DISABLE

• SSL 2.0

DISABLE

• SSL 2.0

• SSL 3.0 (if you can)

DISABLE

• SSL 2.0

• SSL 3.0 (if you can)

• TLS compression

CIPHER SUITES

CIPHER

CIPHER

Cipher

CIPHER

CipherPlaintext

CIPHER

CipherPlaintext

CIPHER

Cipher CiphertextPlaintext

Ciphertext

CIPHER

Cipher Plaintext

CIPHER: MODE

CIPHER: MODE

• CBC

CIPHER: MODE

• CBC

• stream ciphers

CIPHER: MODE

• CBC

• stream ciphers

• GCM

ENCRYPTION: PREFER THIS

ENCRYPTION: PREFER THIS

AES128-GCM&

ENCRYPTION: PREFER THIS

AES128-GCM&

ChaCha20

ENCRYPTION: FALL BACK TO

AES128-CBC

ENCRYPTION: IF LIFE IS CRUEL TO YOU

3DES-CBC

ENCRYPTION: EOL

ENCRYPTION: DANGEROUS

• EXP-*

ENCRYPTION: DANGEROUS

• EXP-*

• DES

ENCRYPTION: DANGEROUS

• EXP-*

• DES

• RC4

ENCRYPTION: DANGEROUS

• EXP-*

• DES

• RC4

KEY EXCHANGE

KEY EXCHANGEfast PFS

RSA ✔️ ❌

KEY EXCHANGEfast PFS

RSA ✔️ ❌

DHE ❌ ✔️

KEY EXCHANGEfast PFS

RSA ✔️ ❌

DHE ❌ ✔️

ECDHE ✔️ ✔️

KEY EXCHANGEfast PFS

RSA ✔️ ❌

DHE ❌ ✔️

ECDHE ✔️ ✔️

INTEGRITY: MACS

• Message Authentication Code

INTEGRITY: MACS

• Message Authentication Code

• HMAC

INTEGRITY: MACS

• Message Authentication Code

• HMAC

• GCM

HAVE THE LAST WORD

YOU’RE DONE!

YOU’RE DONE!

(but test your results!)

CERTIFICATE

CERTIFICATE

CERTIFICATE

CERTIFICATE

CERTIFICATE

CERTIFICATE

CERTIFICATE

PROTOCOLS

PROTOCOLS

PROTOCOLS

PROTOCOLS

CIPHER SUITES

CIPHER SUITES

CIPHER SUITES

CIPHER SUITES

CIPHER SUITES

CIPHER SUITES

CIPHER SUITES

CIPHER SUITES

CLIENTS

YOU HAD ONE JOB!

YOU HAD ONE JOB!

VERIFY!

VERIFY THE CERTIFICATE!

• valid?

VERIFY THE CERTIFICATE!

• valid?

• trustworthy chain?

VERIFY THE CERTIFICATE!

• valid?

• trustworthy chain?

• correct hostname/service?

TRUST CHAIN

TRUST CHAIN• VERIFY_PEER

TRUST CHAIN• VERIFY_PEER

• trust stores OS dependent

TRUST CHAIN• VERIFY_PEER

• trust stores OS dependent

• SSL_CTX_set_default_verify_paths

SYSTEM CA• FreeBSD: ca_root_nss

SYSTEM CA• FreeBSD: ca_root_nss

• debian/Red Hat: ca-certificates

SYSTEM CA• FreeBSD: ca_root_nss

• debian/Red Hat: ca-certificates

• OS X: TEA or homebrew

SYSTEM CA• FreeBSD: ca_root_nss

• debian/Red Hat: ca-certificates

• OS X: TEA or homebrew

• Windows: wincertstore

SYSTEM CA• FreeBSD: ca_root_nss

• debian/Red Hat: ca-certificates

• OS X: TEA or homebrew

• Windows: wincertstore

• or: Mozilla/certifi

HOSTNAME VERIFICATION

OpenSSL to developers:

HOSTNAME VERIFICATION

OpenSSL to developers:

LOL

DON’T VERIFY TRUST CHAIN

I can pretend to be Google with any self-signed

certificate.

DON’T VERIFY HOSTNAME

I can pretend to be Google with any valid certificate.

SET SOME OPTIONS

• acceptable ciphers

• disable SSL 2.0

THAT’S ALL!

USERS

FUNDAMENTAL MISCONCEPTIONS

FUNDAMENTAL MISCONCEPTIONS

• no end-to-end security

FUNDAMENTAL MISCONCEPTIONS

• no end-to-end security

• metadata

VPN?

VPN?

• sees all your traffic

VPN?

• sees all your traffic

• same for CDN

CERTIFICATE WARNINIGS

CERTIFICATE WARNINIGS

ROOT CERTIFICATE POISONING

TRUST ISSUES

TRUST ISSUES

TRUST ISSUES

TRUST ISSUES

TRUST ISSUES• hacked

TRUST ISSUES• hacked

• screw up

TRUST ISSUES• hacked

• screw up

• court orders

TRUST ISSUES• hacked

• screw up

• court orders

• big corp

DON’T DO IT YOURSELF IF YOU CAN HELP IT.

Rule of Thumb

STANDARD LIBRARY VS.

PYOPENSSL

STANDARD LIBRARY

STANDARD LIBRARY• terrible pre-3.3

STANDARD LIBRARY• terrible pre-3.3

• very incomplete in 2.7

STANDARD LIBRARY• terrible pre-3.3

• very incomplete in 2.7

• PFS impossible

STANDARD LIBRARY• terrible pre-3.3

• very incomplete in 2.7

• PFS impossible

• missing options

STANDARD LIBRARY• terrible pre-3.3

• very incomplete in 2.7

• PFS impossible

• missing options

• bound to Python’s OpenSSL

HOSTNAME VERIFICATION

3.2– from ssl import match_hostname

2.4–2.7 pip install backports.ssl_match_hostname

PYOPENSSL

PYOPENSSL

• Python 2.6+, 3.2+, and PyPy

PYOPENSSL

• Python 2.6+, 3.2+, and PyPy

• more complete API coverage

PYOPENSSL

• Python 2.6+, 3.2+, and PyPy

• more complete API coverage

• PyCA cryptography!

CRYPTOGRAPHY.IO

CRYPTOGRAPHY.IO• Python crypto w/o footguns

CRYPTOGRAPHY.IO• Python crypto w/o footguns

• PyCA

CRYPTOGRAPHY.IO• Python crypto w/o footguns

• PyCA

• PyPy ♥ CFFI

CRYPTOGRAPHY.IO• Python crypto w/o footguns

• PyCA

• PyPy ♥ CFFI

• gives pyOpenSSL momentum

HOSTNAME VERIFICATION

service_identity

LIBRARIES &

FRAMEWORKS

SERVERSlib PFS good defaults configurable

eventlet hybrid ❌ ❌ ❌

gevent stdlib ❌ ❌ ❌

gunicorn depends ❌ ❌ ❌

Tornado stdlib ❌ ❌ ❌

SERVERSlib PFS good defaults configurable

eventlet hybrid ❌ ❌ ❌

gevent stdlib ❌ ❌ ❌

gunicorn depends ❌ ❌ ❌

Tornado stdlib ❌ ❌ ❌

Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️

SERVERSlib PFS good defaults configurable

eventlet hybrid ❌ ❌ ❌

gevent stdlib ❌ ❌ ❌

gunicorn depends ❌ ❌ ❌

Tornado stdlib ❌ ❌ ❌

Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️

uWSGI own C code ✔️ ❌ ✔️

SERVERSlib PFS good defaults configurable

eventlet hybrid ❌ ❌ ❌

gevent stdlib ❌ ❌ ❌

gunicorn depends ❌ ❌ ❌

Tornado stdlib ❌ ❌ ❌

Twisted 14.0 pyOpenSSL ✔️ ✔️ ✔️

uWSGI own C code ✔️ ❌ ✔️

CLIENTSlib verifies

certificatesverifies

hostnames good defaults

eventlet hybrid ❌ ❌ ❌

gevent stdlib ❌ ❌ ❌

CLIENTSlib verifies

certificatesverifies

hostnames good defaults

eventlet hybrid ❌ ❌ ❌

gevent stdlib ❌ ❌ ❌

Tornado stdlib ✔️ ✔️ ❌

CLIENTSlib verifies

certificatesverifies

hostnames good defaults

eventlet hybrid ❌ ❌ ❌

gevent stdlib ❌ ❌ ❌

Tornado stdlib ✔️ ✔️ ❌

Twisted 14.0 pyOpenSSL depends depends ✔️

CLIENTSlib verifies

certificatesverifies

hostnames good defaults

eventlet hybrid ❌ ❌ ❌

gevent stdlib ❌ ❌ ❌

Tornado stdlib ✔️ ✔️ ❌

Twisted 14.0 pyOpenSSL depends depends ✔️

urllib2 stdlib ❌ ❌ ❌

CLIENTSlib verifies

certificatesverifies

hostnames good defaults

eventlet hybrid ❌ ❌ ❌

gevent stdlib ❌ ❌ ❌

Tornado stdlib ✔️ ✔️ ❌

Twisted 14.0 pyOpenSSL depends depends ✔️

urllib2 stdlib ❌ ❌ ❌

urllib3/requests hybrid ✔️ ✔️ ✔️

SUMMARY

SUMMARY

• keep TLS out of Python if you can

SUMMARY

• keep TLS out of Python if you can

• use pyOpenSSL-powered requests for HTTPS

SUMMARY

• keep TLS out of Python if you can

• use pyOpenSSL-powered requests for HTTPS

• write servers in Twisted

SUMMARY

• keep TLS out of Python if you can

• use pyOpenSSL-powered requests for HTTPS

• write servers in Twisted

• use pyOpenSSL

SUMMARY

• keep TLS out of Python if you can

• use pyOpenSSL-powered requests for HTTPS

• write servers in Twisted

• use pyOpenSSL

• use Python 2 stdlib only for clients

WHY SORRY?

IMPLEMENTATIONS

IMPLEMENTATIONS

USERS

USERS

• run outdated software

USERS

• run outdated software

• click certificate warnings away

USERS

• run outdated software

• click certificate warnings away

• are at the mercy of 3rd parties

SERVERS

SERVERS

CLIENTS

PYTHON

Is at the forefront of terrible.

HOPE

HOPE

• people care again

HOPE

• people care again

• stdlib

HOPE

• people care again

• stdlib

• PyCA

CALLS TO ACTION

CALLS TO ACTION

CALLS TO ACTION

CALLS TO ACTION

CALLS TO ACTION

ox.cx/t@hynek

vrmd.de