Mauritian code-cutters to help deliver TLS 1.3
Hackers.mu members prepping for IETF 100 hackathon
When IETF 100's hackathon kicks off in Singapore, one of the groups hoping to make waves will come from Mauritius.
Their aim, Logan Velvindron of hackers.mu told Vulture South, is twofold: to make serious contributions to the development of the as-yet-immature TLS 1.3, and along the way, break Mauritius out of its public image as a tourist destination with nothing to contribute to today's IT.
“The idea is to show the rest of the world that we are also capable of contributing to the internet,” rather than the tech world seeing the country as only a call centre outsourcing destination, Velvindron said.
Hosting tech support call centres doesn't do much for skilling up a tech workforce, he said: “In order for us to move into a high-value, high income country, we need to up our game,” he added. “We need to move from a country that's a purely consumer of technology to a developer of it.”
And it's fun. As hackers.mu founder Pirabarlen Cheenaramen added in an email, "it is not only a fun process to feel that we are helping to shape something bigger among so many other developers over the world, but it also brings us great pride to disseminate this culture to the younger generation across this beautiful and remote island".
In working on TLS 1.3, Logan is joined by Muzaffar Auhammud and Muzaffar Auhammud, Pirabarlen Cheenaramen, Nitin Mutkawoa, Codarren Velvindron, Anoop Seburuth, Yashvi Paupiah, Akhil Maulloo, Sheik Meeran Ashmith Kifah, Yasir Auleear, Nigel Yong, and Rahul Golam, and their work so far has resulted in a crop of patches and commits:
- A working patch for Wget;
- Another for Wolfssl;
- Work on OpenSSL;
- The Monit process supervisor; and
- A TLS 1.3 contribution to Aria 2.
That's a respectable workload for three people, so we asked why they chose TLS 1.3 for their efforts.
Logan said it's because TLS is present in so many packages there's an opportunity to make a contribution – and because there are still stresses between the protocol, its implementers, and a diverse wish-list among users.
TLS 1.3 still controversial
Perhaps the most heated is about the role of middleboxes: security-conscious industries like banking want to keep the ability to use proxies to intercept traffic for inspection, and TLS 1.3 "makes these things more difficult," he said.
Some data centres want similar capabilities, and as Velvindron told us, to try to satisfy both sides of the debate is "a very difficult trade-off to make".
Google Chrome 56's crypto tweak 'borked thousands of computers' using Blue Coat securityREAD MORE
Google's Chrome team – and Blue Coat Security – found that out earlier this year, and Velvindron said tests from Facebook also demonstrated that many middleboxes out there don't yet support TLS 1.3.
"There's a large failure rate across the internet – in the IETF working group they're trying to collect the data."
Research is also difficult in Africa, he added: with a lack of people conducting such studies, it falls to interested parties in the ISP industry, some of whom are working with the hackers.mu group.
The aim is to create a map of where TLS 1.3 isn't going to be feasible, and that will be discussed at various African forums, Velvindron told us (these could include AFRINIC, AFNOG and the research network AFREN).
Getting the code working is one thing; keeping it working is another – because the TLS 1.3 specification is still undergoing development.
"Take OpenSSL," he said, which at the time we spoke was compliant with Draft 18 of the TLS 1.3 specification.
"That works fine, but when I take the same code and compile it to be compliant to Draft 21, there are issues.
"IETF Hackathons are the perfect venue to test for interoperability among different TLS 1.3 implementations and make sure that they work well together," he said – something that helps improve the quality of the Standards.
Fixes need to happen across different libraries before other open source projects can adopt them, he said, which creates a chicken-and-egg problem: open source projects want to wait for the working groups to reach a consensus, but waiting means real-world problems aren't identified.
Perhaps because their contributions help break that deadlock, he said the TLS working group is "happy to work with us, even remotely." They've been invited by the IETF Outreach program to talk about their work, and back in IETF 98, one of the members won a prize for being the most remote participant. ®
Sponsored: Becoming a Pragmatic Security Leader