Hacker News new | ask | show | jobs
by benblack 5455 days ago
An article about configuring SSL that doesn't 1) discuss trade-offs of security vs. resource consumption, 2) how to figure out your performance requirements, and 3) indicate the author really understands implications of decisions about crypto is an article you should probably disregard. Modern CPUs are so ridiculously good at crypto, and most sites have such ridiculously low connection rates, that optimizing for maximum performance at the expense of security is a fool's game in most cases. Instead, focus on measuring your real performance requirements first, and things like sane configuration of SSL, for example by explicitly listing ciphers instead of using the impenetrable +aNULL:-yourMom syntax.

Here's my vintage code for scanning SSL configs: https://github.com/b/tlscollect

Here are a couple of must read posts from someone who really knows his SSL business:

http://www.imperialviolet.org/2010/06/25/overclocking-ssl.ht...

http://www.imperialviolet.org/2011/02/06/stillinexpensive.ht...

It's great to learn.

Lil' B
1 comments
tptacek 5455 days ago
Does any of this have anything to do with Matt's post? Adam's first post says the same thing Matt's does: DHE is expensive.

The "tradeoff" in security vs. performance you're referring to irrelevant to almost everyone building on nginx. If you've lost your RSA key, you are well and truly fucked. DHE is interesting, but sniping at people for not using it (in your case, implicitly) is unfair.

link
benblack 5455 days ago
Adam's post is rather more thorough and nuanced, which makes sense since he actually understands SSL and benchmarking. While you might summarize them both as "DHE is expensive", I don't know why you would. Here is each post on DHE:

Adam - "However, with a pure RSA ciphersuite, an attacker can record traffic, crack (or steal) your private key at will and decrypt the traffic retrospectively, so consider your needs."

Matt - "Unfortunately, it also includes a very computationally intensive cipher using an ephemeral Diffie-Hellman exchange for PFS. Sounds scary already, doesn't it? ... The problem cipher is DHE-RSA-AES256-SHA [b]."

The first is factual and straightforward. The second is muddled and clearly skewed towards blindly disabling DHE. I believe we are in agreement that it is irrelevant to almost everyone building on nginx: their connection rates are so low they will not notice the overhead introduced by DHE.

I am sniping at enthusiastic ignorance and encouraging others to behave similarly. I hope that is all quite clear now.

Hugs and kisses, Lil' B

link
tptacek 5455 days ago
Are you a little worried that you come off sounding like "Adam is one of the cool kids and Matt isn't"? Matt's conclusion is ultimately correct.

And we apparently disagree completely about DHE, because you appear to be saying you'd recommend it to web startups, despite the fact that the bank that clears those startups transactions isn't even using it.

Especially weird given that Boundary, your startup, doesn't do DHE.

link
kelnos 5455 days ago
I think benblack's argument is that Adam can recommend disabling DHE because he knows what it is and what it does and can make an informed decision about whether or not your average SSL-enabled site needs it.

Matt simply says "I messed with my settings and leaving this one out makes it faster", without knowing whether or not turning DHE off is safe (or if he does know, clearly he's making it seem like he doesn't). The fact that it is safe -- in this instance -- isn't particularly relevant. The point is that someone who doesn't understand the security implications of something is making a recommendation about security, just cloaked in a recommendation about performance.

Anyway, I don't know any of the people we're talking about here, just trying to help clear up what I believe benblack was trying to say :)

link
tptacek 5455 days ago
Right is right. Wrong is wrong. Pants aren't shirts. It's clear Ben doesn't think Matt is qualified to write the post. But he should have holstered the impulse to gripe about it until Matt wrote something wrong.
link
kelnos 5455 days ago
Well, Matt did write something wrong. The original post about nginx "sucking" at SSL was wrong. Maybe it sucks for SSL in its default configuration (is that even that case, or was Matt's config copy/pasted from elsewhere?), but saying it sucks in general is incorrect and link-bait'y. You can presumably configure other web servers to suck just as much at SSL by enabling DHE ciphers and providing DH params.
link
benblack 5455 days ago
I am recommending that people who do not understand the trade-offs and do not have the traffic for it to matter should probably leave those safe defaults alone. What the banks choose to do is unfortunate, but should not dictate behavior. If all the banks chose to jump off a bridge, etc.

Recommending people unfamiliar with configuring SSL leave defaults alone is only incompatible with our having non-default config if you are implying I don't understand configuring SSL. I doubt that is what you mean, as I am ever the optimist.

Yay!,

Lil' B

link
tptacek 5455 days ago
Turning off DHE is safe. I assume you agree with this, because your SSL server appears unable to do DHE. But whether you agree or not, ephemeral DH is not necessary for secure SSL. As Adam Langley pointed out himself: enabling DHE without knowing what you're doing can create more security problems, because your parameters can be insecure.

I'm having trouble parsing the rest of your comment. I don't have a religious belief about what defaults are reasonable to muck with and which aren't, but: this particular one is fine to change.

link
SnowLprd 5455 days ago
Speaking of fairness, how do you conclude that Ben is sniping at people for not using DHE? I've re-read his comment multiple times, and I don't see that in there at all -- explicitly or implicitly.
link
tptacek 5455 days ago
The words "indicate the author really understands implications of decisions about crypto is an article" were what set me off. I think I'm right; Ben doesn't really believe you need to use DHE, but for some reason doesn't think Matt rates highly enough to write a blog post about configuring SSL.
link
benblack 5455 days ago
On a related topic, these are both your comments on this post:

"The win here is that losing the RSA key now only allows you to MITM future SSL/TLS connections. This is still a disaster, but it does not allow you to retroactively unwind previous DH exchanges and decrypt earlier captured sessions."

"If you've lost your RSA key, you are well and truly fucked."

Thanks for clearing that up!

Make love not war,

Lil' B

link
tptacek 5455 days ago
Oh. You're forum trolling. You know what though, it's always great to see you Ben. Thanks for taking the time.
link
benblack 5455 days ago
Correct, disagreeing with you implies trolling. You are one astute dude, Tom. Keep up the good work!
link
sp4rki 5455 days ago
I think that grasping at straws imply you're trolling, not disagreeing with someone else, although more than disagreeing with Tom it just seems like you're complaining...

I agree that both articles have different degrees of technical completeness, but really getting snarky because you believe that someone doesn't have the 'stripes' to write an article that ultimately agrees with the former article you're comparing it to seems to me like a waste of time. Specially since both articles basically come to the same conclusion. It gets worse when you pull two quotes from tptacek that ultimately don't change neither what he said in the beginning nor the reason he's responding to your posts.

link