STARTTLS considered harmful

Posted Aug 19, 2021 0:45 UTC (Thu) by scientes (guest, #83068)
Parent article: STARTTLS considered harmful

You write "TLS" over and over again, but you do not know anything about ASN.1 because it is sucks. While it does not have certificates, WireGuard does not need this ASN.1 non-sense, which is so horrible that only the picoTLS library implements RFC 7250 Raw Public Keys that allows using encryption without X.509. This fact shows that the people using these protocols don't understand what they are using and why, which is always a bad sign.

In short:

ASN.1
X.509
(Hence TLS from Netscape, and they just _had_ to change the name from SSL because the world always needs more TLAs)

Considered harmful, and the things built on these pieces of trash, while poop by association, are a waste of time, like eBPF.

to post comments

STARTTLS considered harmful

Posted Aug 19, 2021 2:04 UTC (Thu) by mjg59 (subscriber, #23239) [Link] (1 responses)

> While it does not have certificates, WireGuard does not need this ASN.1 non-sense

You can certainly have certificates without ASN.1 (as SSH demonstrates), but when you're relying on services to be able to establish trust with other services that are run by entirely separate people, you're going to want some sort of PKI. All the code for dealing with the horrible aspects of ASN.1 has already been written, so why not just re-use the existing web PKI rather than inventing something that would require entirely new infrastructure?

STARTTLS considered harmful

Posted Aug 31, 2021 15:18 UTC (Tue) by mstone_ (subscriber, #66309) [Link]

> why not just re-use the existing web PKI rather than inventing something that would require entirely new infrastructure?

It's not clear that inventing the new infrastructure would be harder than securing all existing code (and any new implementation) that tries to do ASN.1 and X.509. Experience has shown that it's just too easy to screw up your TLS implementation, and it's basically certain that new critical implementation flaws will be found soon. Sadly, experience has also shown that getting something new on the internet isn't easy either--so smart money will bet that we'll just keep drifting in apathy, with everything kind of working except when it doesn't.

STARTTLS considered harmful

Posted Aug 19, 2021 9:08 UTC (Thu) by chris_se (subscriber, #99706) [Link]

> You write "TLS" over and over again, but you do not know anything about ASN.1 because it is sucks.

Yeah, ASN.1 is way too complicated. But unfortunately nobody has proposed an actual alternative that has gained any kind of traction. Sure, in fixed deployments you don't need a PKI, but some kind of high-level key attestation mechanism is required for most use cases. Honestly, I'd love to see something way better in this space.

In general I'd like to observe that most crypto solutions are just plain horrible when it comes to the parts that aren't the core crypto itself, or in the other extreme they are overly simple so that many use cases can't be handled with them. I have yet to see something that strikes a good balance here.

> While it does not have certificates, WireGuard does not need this ASN.1 non-sense

But Wireguard only provides the low-level channel, and any Wireguard-based solution that actually competes with other available VPNs implements some manner of control plane external to the actual Wireguard protocol.

STARTTLS considered harmful

Posted Aug 19, 2021 10:01 UTC (Thu) by jschrod (subscriber, #1646) [Link] (2 responses)

Do you have anything to say about the actual topic of the article?

If yes, can you tell it like an adult without using childish faecal cuss words?

STARTTLS considered harmful

Posted Aug 22, 2021 9:30 UTC (Sun) by scientes (guest, #83068) [Link] (1 responses)

But you are doing the same thing the article and STARTTLS is doing.

You walk up to someone, say hi, and then demand they show you their identification.

Fuck you buddy.

STARTTLS considered harmful

Posted Aug 22, 2021 12:20 UTC (Sun) by Wol (subscriber, #4433) [Link]

Just don't walk into a drug store or off-licence ...

Cheers,
Wol