That moment when families look around and realize they have absolutely nothing to talk about... #facebookdown
waxwing
if even morons like lizardsquad can do that, then let's face it, we're all screwed :)
dansmith_btc
waxwing, while running tests on aws, I occasionally get 10 PMS failed in a row during prepare_pms. The vars are shared.tlsver = 0301 and rs_choise=archive.org
ofs tls_11=1 in ini file
*ofc
this is worrying - why would the auditee ever use 0301 during prepare pms?
ws'ing shows that client hello has 0301
I guess there is some mismatch happening when auditee uses 0301 for prepare PMS but auditor uses 0302
waxwing
dansmith_btc: yeah that could do it.
dansmith_btc
my suggestion to you: run a mega test with, like 500 entries until you see this behaviour
then both you and I can be sure that it's not just me here
waxwing
i didn't consider that possibility - in that case, presumably, you would get pms trials failure
well running tests is one thing, but if you have tls_11=1 and you're seeing 0301 in the client hello, then something is wrong.
dansmith_btc
in TLSClientHello it uses tlsn_common.tlsver which may have been downgraded. We should use if int(shared.config.get("General","tls_11")): shared.set_tlsver('\x03\x02') there
waxwing
oh - you mean from one audit to the next?
dansmith_btc
yes
is it possible?
waxwing
i'll take a look but it sounds like a plausible source of a bug
but actually i remember that i tried to address that
yeah, it seems scary, but all I did is wrapped in try except, that's it
if only you couls see the diff ignoring the whitespace changes, that's be a very small diff
waxwing
sure i get that it's a small change, but it is creating new execution paths
dansmith_btc
ok, I guess i'll undo that commit and try without it first
waxwing
something i'm struggling to remember:
do we use 0302 for the prepare pms phase?
oh yes as i write it i remember
it's always supposed to be 0302 at that stage if tls_11 is true
i cannot understand how you can get 0301 in the prepare_pms client hello, if tls_11 is set to true. that should be impossible.
gonna take a little break. but before i do i'll pull your latest and start running as many sites as i can.
dansmith_btc: ^
dansmith_btc
waxwing, actually I just undid my retry... commit and rerunning the mega test
waxwing
ok. i'll wait then?
dansmith_btc
u may want to wait until i confirm that it triggers again
waxwing
oh hang on. maybe that's it. because shared.tlsver is a global.
and if you re-do prepare pms , then if it got downgraded, it would stay downgraded.
yeah.. i suppose it's true. hmm, my brain really doesn't work too well this morning.
dansmith_btc
yes, confirming the bug remains after undoing that commit
waxwing
it's the same reason i had to shove that "reset from config" at the start of start_audit - if you don't reset, then you've still got the value from the last audit.
dansmith_btc: was there an earlier time when this *wasn't* happening? i noticed you doing tons of tests last couple of weeks. when did the problem start?
dansmith_btc
I remember running mega test way back, before the tls 11 thing
since then, i never had a successfull run
however I had successful test runs for the normal size websitelist, but not for the mega size
waxwing
ok that matches my experience. i only ever used the default sized list.
dansmith_btc
i mean I had success recently only with normal size lists
waxwing
yes, got it.
so what happens when the reliable site downgrades from 1.1 to 1.0? as far as i can tell, it should allow prepare_pms to return successfully on the second iteration. and from then on it should be tls 1.0 for the main audit (which i guess is a bug, but it should work).
dansmith_btc
i c where the bug comes from - we reset tlsver at start_audit however send_certificate gets triggered before start_audit
send_certificate is pre-preparing the pms before user presses start audit
waxwing
process_certificate_queue . but yeah, that's clearly it. good catch.
dansmith_btc
best to just hardcode 0302 for prepare_pms purposes
waxwing
i mean, it would be ok the first time (first audit).
yeah hardcode would be a fine bugfix, i expect.
no hang on.
if someone actually wants 1.0 audits and sets that in the config file, we need the prepare_pms to respect that.
dansmith_btc
yeah, that's a can of worms
waxwing
the whole trouble started from .. this global variable in tlsn_common. it seems like we need it, but it causes a bit of a mess.
i got quite confused about it first time round, so i'm not surprised there's a bug left behind.
it's because we have to preserve state across different TLS session objects.
tlsn_session has to know what pms_session was doing, so to speak.
dansmith_btc
wouldnt the first step be to pass tlsver to auditor explicitely via p2p messaging? otherwise how will auditee communicate that he wants to use tls10
waxwing
oh yes. did i forget that?
certainly remember thinking about it.
or maybe i didn't do it, and just figured 'oh people will have to use the defaults or otherwise tell their counterparty explicitly'
after all, they have to tell the counterparty other details, like the messaging channel and the pubkeys, and the reliable sites too
a load of stuff has to be synchronised; but if people just stick with defaults it's ok.
dansmith_btc
yes, there is no harm in not doing it initially, but right now when runnng test with random tlsver that must be communicated over p2p channel
waxwing
otoh maybe it shouldn't be optional. just 1.1 and that's it.
with randomness, yes, i see.
bottom line is, youre right, a downgrade during the handshake should not in any way affect the operation of prepare_pms()
because prepare_pms is making the PMS which is unaffected by downgrades.
so yeah, hardcode it in prepare_pms to the value of shared.config.get()
if you want random variation in the tests, you can randomise the value in the config?
dansmith_btc
prepare_pms may run in paraller with start_audit because of the pre-preparing, relying on config will not do
passing tlsver to TLSNClientSession is the only option here
bbl
oakpacific joined the channel
waxwing
"prepare_pms may run in paraller with start_audit because of the pre-preparing, relying on config will not do" <-- i don't understand this.
if the tlsver used in prepare_pms is just what's in the config, that should be fine, whenver it runs.
unless the comment is connected with randomising (although i think it should still be fine like that?)
waxwing is wondering why we never discussed tlsnotary-for-oracles like proving temperature or price feeds
oakpacific
publicly available info needs no proof
waxwing
maybe. private feeds?
i'm writing the history of TLSNotary as a blog post :)
actually i'm not. but somehow i ended up writing 3 paragraphs on 'background'
oakpacific
yeah, that story sounded incredulous to me
waxwing
you mean the history of tlsnotary as a blog post is not believable?
oakpacific
no
waxwing
why not? sounds fascinating :)
oakpacific
alumni-book style fascinating?
also suppose it's written, it should include paysty and stuff and so on
waxwing
yes, that's what i meant.
3 paragraphs is of course not enough, more like 3 pages.
would you like to complete it? :)
oakpacific
waxwing: well, first you have to realize that I was absent until half-way
waxwing
yeah, not sure. i don't focus too much on first 5/6 months. That was not so productive :)
oakpacific
second, until very recently, I didn't think of it as much more than a hack, then I saw Natanael giving it a theoretical perspective, so with enough theoretical spinning it's actually interesting academic stuff :)
waxwing
which particular theoretical perspective do you mean?
i think we have seen lots of works on how you authenticate both parties in a communication, but without creating any proof that can be connected to both
but what if you want to prove something to a third party, but no one other than him?
oakpacific: well specifically imean that if you weren't constrained by TLS, you could construct such a system from scratch without too much effort
not saying it'd be easy to do it perfectly, of course
oakpacific
waxwing: but it always involves HMAC and so on
waxwing
oakpacific: do you see any other use cases than (a) prove a transfer (b) prove a government ID or residence ?
it's a bit silly really isn't it, because any tlsnotary use case is a digital signature use case
unless, as you say, you deliberately don't want to prove it to anyone else but the auditor. then an attached signature is not good.
oakpacific starts to conjure up in his brain Mafia film scenes...
i wonder if blinding could play a role somewhere, like: you want to have the auditor read the plaintext to verify, but you want everyone else to be able to pass around a blinded proof and say 'the auditor verified this'. i can't see a use case though.
oakpacific
hmmm, maybe we can call it subliminal auditing and so on?
waxwing
i guess all i'm describing there is a 2 stage: 1, auditor verifies, 2, auditor signs a message saying "I verify"
oakpacific
i start to wonder, have we broken the OTR deniability?
waxwing
heh
OTR != TLS thankfully
oakpacific
but you would have to wonder if anything using a shared secret could be manipulated in this way
waxwing
well, you could start with TLS 1.2 :)
oakpacific
waxwing: think about it, it's actually a trivial question
waxwing
hearn is now telling me that he gets *all* his bank data digitally signed, and that he always has done..
btw i have to go in a minute
oakpacific
if one party gives up confidentiality, then you can just have the auditor creating everything