[Weechat-dev] [bug #37602] [enhancement] pin TLS certificates using TOFU model

[Abel Luck]

URL:
  <http://savannah.nongnu.org/bugs/?37602>

                 Summary: [enhancement] pin TLS certificates using TOFU model
                 Project: WeeChat
            Submitted by: abelxluck
            Submitted on: Fri 19 Oct 2012 01:05:08 PM GMT
                Category: irc plugin
                Severity: 3 - Normal
              Item Group: security
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: 
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 0.4.0-dev
                IRC nick: abeluck

    _______________________________________________________

Details:

== Motivation ==

In these days where we can no longer trust Certificate Authorities (CAs) yet
can't quite ditch th CA model entirely, we need to take additional precautions
to ensure the integrity of our TLS sessions.

Currently weechat supports verifying a certificate and all the certs in the
chain up to the CA. If _any_ CA is compromised, then the game is up and we
could be silently MITMed. 

If we pin (i.e., store) a certificate after we see it and expect to see it
again in the future, we  effectively reduce the scope of authorities who can
authenticate to us during the lifetime of the pin.

== Proposal ==

I propose augmenting this system with an *optional* additional verification
step that pins the certificate on first use, and every connection thereafter
expects the same certificate.

This is often called TOFU, for Trust On First Use 
<https://en.wikipedia.org/wiki/User:Dotdotike/Trust_Upon_First_Use>. If you've
ever used SSH you've used TOFU before. The familiar prompt when you connect to
a server for the first time is TOFU+cert pinning in action.

This behavior will be optional and disabled by default. The reasoning for it
being off by default is that irc servers often use pools of servers which
could use different SSL certificates.

For example, if you connect to chat.freenode.net you could be directed to any
number of servers, each with their own certificate.

Pinning is particularly useful in these circumstances:

* self-signed certificates
* single IRC servers (non-pooled)

== Implementation ==

Add the irc plugin option irc.server.ssl_pin as a boolean option.

If this option is enabled:

* On first connection to a server, after performing the current CA chain
verification, weechat will *optionally* store the cert in a local cache.
* On subsequent connections, weechat will expect the same certificate to be in
use (unless it has been expired or revoked) and will prompt the user if this
is not the case.

=== Discussion ===

Thankfully, this is quite simple to implement using gnutls-3.0.13. It requires
the use of just two gnutls functions
<http://www.hep.by/gnu/gnutls/Verifying-a-certificate-using-trust-on-first-use-authentication.html>.
The documentation explains this in more detail.

You can view the sample client
<http://www.hep.by/gnu/gnutls/Simple-client-example-with-SSH_002dstyle-certificate-verification.html#Simple-client-example-with-SSH_002dstyle-certificate-verification>
and compare it to irc_server_gnutls_callback() in irc-server.c

Of course this requires gnutls-3.0.13, which was released in Feburary 2012.
This fact alone means we cannot push this feature until most distros have
upgraded. That said, that gives us more time to implement and test it as a
devel version.

Please discuss this proposal, I am more than willing to submit patches, but
only if this is agreeable.





    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?37602>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/