From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: mail.toke.dk; spf=pass (mailfrom) smtp.mailfrom=irif.fr (client-ip=2001:660:3301:8000::1:2; helo=korolev.univ-paris7.fr; envelope-from=jch@irif.fr; receiver=) Received: from korolev.univ-paris7.fr (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]) by mail.toke.dk (Postfix) with ESMTPS id 21D337F4B99 for ; Wed, 24 Feb 2021 22:16:46 +0100 (CET) Received: from potemkin.univ-paris7.fr (potemkin.univ-paris7.fr [IPv6:2001:660:3301:8000::1:1]) by korolev.univ-paris7.fr (8.14.4/8.14.4/relay1/82085) with ESMTP id 11OLGkuP023976 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 24 Feb 2021 22:16:46 +0100 Received: from mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [81.194.30.253]) by potemkin.univ-paris7.fr (8.14.4/8.14.4/relay2/82085) with ESMTP id 11OLGkbi032390; Wed, 24 Feb 2021 22:16:46 +0100 Received: from mailhub.math.univ-paris-diderot.fr (localhost [127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTP id 284A6DD44B; Wed, 24 Feb 2021 22:16:46 +0100 (CET) X-Virus-Scanned: amavisd-new at math.univ-paris-diderot.fr Received: from mailhub.math.univ-paris-diderot.fr ([127.0.0.1]) by mailhub.math.univ-paris-diderot.fr (mailhub.math.univ-paris-diderot.fr [127.0.0.1]) (amavisd-new, port 10023) with ESMTP id zOJiAh-QbNJk; Wed, 24 Feb 2021 22:16:44 +0100 (CET) Received: from pirx.irif.fr (unknown [78.194.40.74]) (Authenticated sender: jch) by mailhub.math.univ-paris-diderot.fr (Postfix) with ESMTPSA id 42EB7DD446; Wed, 24 Feb 2021 22:16:44 +0100 (CET) Date: Wed, 24 Feb 2021 22:16:44 +0100 Message-ID: <87im6hqi83.wl-jch@irif.fr> From: Juliusz Chroboczek To: Michael =?ISO-8859-1?Q?Str=F6der?= In-Reply-To: <9fb4bedf-0195-7515-dc54-2d225504f874@stroeder.com> References: <87mtvtqn5d.wl-jch@irif.fr> <9fb4bedf-0195-7515-dc54-2d225504f874@stroeder.com> User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/27.1 Mule/6.0 MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue") Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (korolev.univ-paris7.fr [IPv6:2001:660:3301:8000::1:2]); Wed, 24 Feb 2021 22:16:46 +0100 (CET) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (potemkin.univ-paris7.fr [194.254.61.141]); Wed, 24 Feb 2021 22:16:46 +0100 (CET) X-Miltered: at korolev with ID 6036C23E.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)! X-Miltered: at potemkin with ID 6036C23E.000 by Joe's j-chkmail (http : // j-chkmail dot ensmp dot fr)! X-j-chkmail-Enveloppe: 6036C23E.000 from potemkin.univ-paris7.fr/potemkin.univ-paris7.fr/null/potemkin.univ-paris7.fr/ X-j-chkmail-Enveloppe: 6036C23E.000 from mailhub.math.univ-paris-diderot.fr/mailhub.math.univ-paris-diderot.fr/null/mailhub.math.univ-paris-diderot.fr/ X-j-chkmail-Score: MSGID : 6036C23E.000 on korolev.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000 X-j-chkmail-Score: MSGID : 6036C23E.000 on potemkin.univ-paris7.fr : j-chkmail score : . : R=. U=. O=. B=0.000 -> S=0.000 X-j-chkmail-Status: Ham X-j-chkmail-Status: Ham Message-ID-Hash: 7W7SNFATAEM3AMLDGKLV6XMOUJMW3YYD X-Message-ID-Hash: 7W7SNFATAEM3AMLDGKLV6XMOUJMW3YYD X-MailFrom: jch@irif.fr X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: galene@lists.galene.org X-Mailman-Version: 3.3.2 Precedence: list Subject: [Galene] Re: Heads up: =?iso-8859-1?q?Gal=E8ne?= generates self-signed certificates List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: > Yes, sometimes I have very strong opinions too. ;-) Good, because so do I. >> I implemented automatic generation of self-signed certificates if >> a certificate is not found in the data/ directory. > it's IMHO not very useful. I strongly disagree. Good security relies on carefully balancing security with usability: if a security protocol is not usable, people will use insecure alternatives instead. A case in point: secure telnet (telnet over TLS) was not usable in practice (it required setting up a CA), so we kept using plaintext telnet; it's only when ssh came out, which was easy to use (TOFU authentication), that we started encrypting our traffic. The self-proclaimed security specialists were yelling at us that ssh's model is insecure, that there is no key revocation mechanism, and that we must deploy our own CA or be tortured for all of eternity. Same here. What is really insecure is people trusting third-party services with their private data. By making Gal=E8ne easier to deploy by non-specialists, we're improving the security of the Internet, even though we might make it easier to deploy Gal=E8ne in a manner that the "use a centralised CA or I kill you" crowd don't condone. >> 1. If you're currently using a real certificate (stored in data/cert.pem >> and data/key.pem), there's nothing to do. The only difference is that >> Gal=E8ne will notice when you update the certificate, and load the new >> certificate automatically. > Does it also check whether cert and key match, e.g. have same RSA > modulus? Yes. If the moduli don't match, you'll get an error in the log ("tls: private key does not match public key") and the connection will fail. > That's one of the very common configuration errors. And when > automatically reloading two files there is a race condition. If you hit the race condition, you'll get the error above. Gal=E8ne will recover at the next connection attempt. > If at least one of cert.pem and key.pem are present but it does not > work, please ensure that it fails early, fails hard. An accidential > fall-back to a transient self-signed cert has to be strictly avoided. Currently, we fall back to the self-signed certificate if either of the two files is missing. Could you please describe the kind of attacks that you're worried about? >> The self-signed certificate uses 2048-bit RSA, which I understand is >> compatible with all browsers. I could easily generate ed25519 or P-256 >> instead, if you understand the crypto please let me know what to do. > A transient self-signed cert gives no security at all I strongly disagree: a self-signed cert prevents passive attacks. Your ISP can perform a passive attack without being noticed, and if you catch them they can claim they made a mistake. If you catch your ISP doing an MITM, you can save the spoofed certificate and drag them to court. > So it's waste of time to seriously think about the crypto stuff. A TLS handshake with RSA is some 4kB, EC could bring this down to a few hundred bytes. Probably not an issue for Gal=E8ne, but something to think about if you're deploying a service over low-throughput links. -- Juliusz