New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add native support for PFS (Perfect Forward Secrecy) #22611
Comments
For those following along, that might not know about PFS, what exactly does it enable or unlock? Do some other protocols require it? I found http://en.wikipedia.org/wiki/Forward_secrecy Is this specific to network encryption implementations? Added Area-Library, Library-IO, Triaged labels. |
Could you please explain what it is that is needed for PFS in dart:io. As far as I can see you get FPS when using TLS to suecure the connection. Or am I missing something? Added NeedsInfo label. |
This comment was originally written by @Emasoft @sgjesse: Developers are having difficulties implementing secure web applications. For instance according to Luiz Mineo, developer of Redstone.dart, (I quote) "HSTS can only be implemented resorting to an interceptor (i.e. a cpp wrapper of an instance of a native peer C/C++ object) or using shelf middleware", while "there is no support for PFS on Dart at all". This is a serious shortcoming for a web development platform like Dart. Perfect Forward Secrecy (PFS) (aka Ephemeral Keys Exchange) should satisfies the 3 properties below:
var ( Currently Dart doesn't allow to do that. Here are a couple of posts made by Adam Langley, Senior Staff Software Engineer at Google: https://www.imperialviolet.org/2011/11/22/forwardsecret.html You can ask him how to implement PFS in the Dart framework. |
So the feature request is to configure the preferred TLS cipher suites to a set that will adheres to the Perfect Forward Security properties? Maybe even have this be the default. |
This comment was originally written by @Emasoft I think the problem is more complex than just changing the preferred TLS cipher suites and putting the Ephemeral ones first. Dart is not able to satisfie the 3 properties listed above. |
This comment was originally written by luiz.mine...@gmail.com "@sgjesse: Developers are having difficulties implementing secure web applications. For instance according to Luiz Mineo, developer of Redstone.dart, (I quote) "HSTS can only be implemented resorting to an interceptor (i.e. a cpp wrapper of an instance of a native peer C/C++ object) or using shelf middleware", while "there is no support for PFS on Dart at all". This is a serious shortcoming for a web development platform like Dart." Well, that's definitely not exactly what I said... Let me paste here my comment on the Google+ thread (https://plus.google.com/u/0/112869608698337579825/posts/AyNJZAhSqGW): "HSTS can be easily implemented with an interceptor or shelf middleware, although, I think there is no support for PFS on Dart yet." With "interceptor", I meant an Redstone interceptor (http://redstonedart.org/doc/Interceptors.html). You just have to add a new header to your response for enabling HSTS. And with "I think there is no support for PFS on Dart yet", I meant that I'm not sure if this specification can be implemented in Dart, but I didn't tried it myself. |
I got the following answer from Adam Langley: """ Those two blog posts explains PFS this quite precisely. The explanation of how Twitter implemented the session ticket key distribution shows what is needed for a server farm for providing PFS together with session resumption. Right now there is no API in dart:io to do anything with the session ticket key. Added Triaged label. |
This issue was originally filed by @Emasoft
Dart currently lacks support for PFS (Perfect Forward Secrecy). The latest escalation in security makes this a fundamental requisite for a web development framework like Dart. It should be implemented as part of the standard framework, in a usable and easy to enable way. With no dependency on third party libraries or tools.
The text was updated successfully, but these errors were encountered: