Hacker News new | ask | show | jobs
by winterdeaf 1464 days ago
Tarsnap does not actually look bad. But any client-to-server protocol that is not TLS1.3 will make cryptographers twitch, and (as noted in the documentation pages) compression is bound to offer a side-channel attack (if only an impractical one, with hundreds of queries per recovered byte).
1 comments
cperciva 1464 days ago
Using TLS makes this particular cryptographer twitch.
link
ghoward 1464 days ago
Not GP, but a wannabe level 3 [1] cryptographer.

Why does TLS make you twitch? Does that apply to TLS 1.3?

[1]: https://loup-vaillant.fr/articles/rolling-your-own-crypto

link
cperciva 1464 days ago
TLS 1.3 is definitely better than previous versions. Note however that it wasn't published until 2018; Tarsnap's transport layer has been in use since 2007, before even TLS 1.2 was published. If I had used TLS at the time, it would have been TLS 1.1. Hopefully you agree that would have been a bad thing?
link
tptacek 1464 days ago
I mean, TLS 1.1 isn't a good thing, but which <TLS1.3 bugs actually would have impacted Tarsnap? SMACK, maybe? Probably not POODLE, given the ciphersuites you'd have locked down to. Not BERserk (you'd never use NSS). The TLS BB'98 attacks didn't hit any library you'd actually use. No Triple Handshake, since you wouldn't do renegotiation. No BREACH, TIME or CRIME (they don't fit Tarsnap anyways). No RC4 (lol). No Lucky13, for the same reason as no POODLE. No BEAST, because you don't do Javascript. And now we're back to 2007 (or pre-2007) for attacks on TLS.
link
cperciva 1464 days ago
It's possible that I could have taken TLS 1.1 and removed all the broken parts, sure. I mean, that's pretty much what TLS 1.3 is.

But frankly I trust my ability -- both now and in 2007 -- to use standard cryptographic algorithms to build a new protocol far more than I trust my ability to remove all the crap from TLS 1.1.

(Did you deliberately not mention heartbleed?)

link
tptacek 1464 days ago
Heartbleed isn't a TLS vulnerability any more than an overflow in GnuTLS is.

The threshold question is, "could this vulnerability be reasonably expected to recur in independent implementations of the protocol?"

As for stripping back TLS 1.1 --- it wouldn't take much more than simply picking a single ciphersuite and requiring TLS 1.1. You wouldn't need to know, for instance, about export ciphers.

link
ghoward 1463 days ago
Yes, of course. I was just confused because it seemed like you were saying that even the new version of TLS was bad.
link