Re: User interface, security, and simplicity

2008-05-07 Thread Victor Duchovni
On Wed, May 07, 2008 at 10:27:48AM +1000, James A. Donald wrote: Dynamic strings tempt people to forget about enforcing length limits and forget about correctly handling the case when the length limits are exceeded. This too is dealt with. Message sizes are bounded, recipient counts are

Re: User interface, security, and simplicity

2008-05-07 Thread Peter Gutmann
James A. Donald [EMAIL PROTECTED] writes: In any program subject to attack, all strings should have known, documented, and enforced maximum length, a length large enough for all likely legitimate uses, and no larger. Precisely. An example of where dynamic strings can lead you is what happens to

Re: User interface, security, and simplicity

2008-05-06 Thread Victor Duchovni
On Sun, May 04, 2008 at 10:24:13PM -0400, Thor Lancelot Simon wrote: I believe that those who supply security products have a responsibility to consider the knowledge, experience, and tendencies of their likely users to the greatest extent to which they're able, and supply products which will

Re: User interface, security, and simplicity

2008-05-06 Thread Steven M. Bellovin
On Sun, 04 May 2008 11:22:51 +0100 Ben Laurie [EMAIL PROTECTED] wrote: Steven M. Bellovin wrote: On Sat, 03 May 2008 17:00:48 -0400 Perry E. Metzger [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] (Peter Gutmann) writes: I am left with the strong suspicion that SSL VPNs are easier to

Re: User interface, security, and simplicity

2008-05-06 Thread Steven M. Bellovin
On Sat, 03 May 2008 19:50:01 -0400 Perry E. Metzger [EMAIL PROTECTED] wrote: Almost exclusively the use for such things is nailing up a tunnel to bring someone inside a private network. For that, there is no need for per user auth -- the general assumption is that the remote box is a single

Re: User interface, security, and simplicity

2008-05-06 Thread Jack Lloyd
On Tue, May 06, 2008 at 03:40:46PM +, Steven M. Bellovin wrote: In particular, with TLS the session key can be negotiated between two user contexts; with IPsec/IKE, it's negotiated between a user and a system. (Yes, I'm oversimplifying here.) Is there any reason (in principle) that

Re: User interface, security, and simplicity

2008-05-06 Thread Nicolas Williams
On Tue, May 06, 2008 at 03:40:46PM +, Steven M. Bellovin wrote: Experiment part two: implement remote login (or remote IMAP, or remote Web with per-user privileges, etc.) under similar conditions. Recall that being able to do this was a goal of the IPsec working group. I think that part

Re: User interface, security, and simplicity

2008-05-06 Thread Victor Duchovni
On Tue, May 06, 2008 at 11:40:53AM -0700, David Wagner wrote: - With the upcoming EECDH support, users don't choose curves directly, they again choose a security grade, and the correspnding curves are configurable via parameters they are not expected to ever look at or modify.

Re: User interface, security, and simplicity

2008-05-06 Thread James A. Donald
The same is true in the source code, unsafe practices are avoided globally, (e.g. both strcpy() and strncpy() are absent together with fixed size automatic buffers) rather than used with care locally. I won't bore you with all the implementation safety habits, but there are many.

Re: User interface, security, and simplicity

2008-05-05 Thread James A. Donald
Steven M. Bellovin wrote: IPsec operates at layer 3, where there are (generally) no user contexts. This makes it difficult to bind IPsec credentials to a user, which means that it inherently can't be as simple to configure as ssh. Put another way, when you tell an sshd whom you wish to

Re: User interface, security, and simplicity

2008-05-05 Thread Ed Gerck
Ian G wrote: (on Kerckhoffs's rules) = 6. Finally, it is necessary, given the circumstances that command its application, that the system be easy to use, requiring neither mental strain nor the knowledge of a long series of rules to observe. = ... PS:

Re: User interface, security, and simplicity

2008-05-05 Thread James A. Donald
Thor Lancelot Simon wrote: And, in fact, most VPN software of any type fails this test. My concern is that an excessive focus on how hard is it to set this thing up? can seriously obscure the important second half of the question and if you set it up in the easiest possible way, is it safe?

Re: User interface, security, and simplicity

2008-05-04 Thread Ben Laurie
Steven M. Bellovin wrote: On Sat, 03 May 2008 17:00:48 -0400 Perry E. Metzger [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] (Peter Gutmann) writes: I am left with the strong suspicion that SSL VPNs are easier to configure and use because a large percentage of their user population simply is not

Re: User interface, security, and simplicity

2008-05-04 Thread Ray Dillinger
On Sat, 2008-05-03 at 23:35 +, Steven M. Bellovin wrote: There's a technical/philosophical issue lurking here. We tried to solve it in IPsec; not only do I think we didn't succeed, I'm not at all clear we could or should have succeeded. IPsec operates at layer 3, where there are

Re: User interface, security, and simplicity

2008-05-04 Thread Perry E. Metzger
Jacob Appelbaum [EMAIL PROTECTED] writes: Perry E. Metzger wrote: Until then, OpenVPN let me get started in about five minutes, and the fact that it is less than completely secure doesn't matter much to me as I'm running SSH under it anyway. [...] I'm always curious to hear what designers of

Re: User interface, security, and simplicity

2008-05-04 Thread Thor Lancelot Simon
On Sat, May 03, 2008 at 07:50:01PM -0400, Perry E. Metzger wrote: Steven M. Bellovin [EMAIL PROTECTED] writes: There's a technical/philosophical issue lurking here. We tried to solve it in IPsec; not only do I think we didn't succeed, I'm not at all clear we could or should have

Re: User interface, security, and simplicity

2008-05-04 Thread Ian G
Perry E. Metzger wrote: It is obvious to anyone using modern IPSec implementations that their configuration files are a major source of pain. In spite of this, the designers don't seem to see any problem. The result has been that people see IPSec as unpleasant and write things like OpenVPN when

Re: User interface, security, and simplicity

2008-05-04 Thread Perry E. Metzger
Thor Lancelot Simon [EMAIL PROTECTED] writes: On Sat, May 03, 2008 at 07:50:01PM -0400, Perry E. Metzger wrote: I disagree. Fundamentally, OpenVPN isn't doing anything IPSEC couldn't do, and yet is is fairly easy to configure. And yet there's no underlying technical reason why it is any

Re: User interface, security, and simplicity

2008-05-03 Thread Peter Gutmann
Thor Lancelot Simon [EMAIL PROTECTED] writes: The upshot is that, indeed, at least as shown here, this particular configuration frontend to OpenVPN is very easy to configure -- if you are willing to settle for much less security than OpenVPN was designed to provide, I think you mean: ]... if

Re: User interface, security, and simplicity

2008-05-03 Thread Jeff Simmons
On Saturday 03 May 2008 14:00, Perry E. Metzger wrote: Right now, to use SSH to remotely connect to a machine using public keys, all I have to do is type ssh-keygen and copy the locally generated public key to a remote machine's authorized keys file. When there is an IPSEC system that is

Re: User interface, security, and simplicity

2008-05-03 Thread Steven M. Bellovin
On Sat, 03 May 2008 17:00:48 -0400 Perry E. Metzger [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] (Peter Gutmann) writes: I am left with the strong suspicion that SSL VPNs are easier to configure and use because a large percentage of their user population simply is not very sensitive to how

Re: User interface, security, and simplicity

2008-05-03 Thread Perry E. Metzger
Steven M. Bellovin [EMAIL PROTECTED] writes: There's a technical/philosophical issue lurking here. We tried to solve it in IPsec; not only do I think we didn't succeed, I'm not at all clear we could or should have succeeded. IPsec operates at layer 3, where there are (generally) no user

Re: User interface, security, and simplicity

2008-05-02 Thread James A. Donald
Thor Lancelot Simon wrote: It's fashionable in some circles (including, it seems, this one) to bash IPsec (particularly IKE) and tout SSL VPNs (particularly OpenVPN) on what are basically user interface grounds. I cannot help repeatedly noting that -- I believe more so than with actual IPsec