IETF Logo Mail Archive

Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard

Eric Rescorla <ekr@rtfm.com> Sat, 17 January 2015 14:37 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 628A31ACD8D for <ietf@ietfa.amsl.com>; Sat, 17 Jan 2015 06:37:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.323
X-Spam-Level:
X-Spam-Status: No, score=0.323 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MANGLED_BACK=2.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RtaXSIJmk_zA for <ietf@ietfa.amsl.com>; Sat, 17 Jan 2015 06:37:30 -0800 (PST)
Received: from mail-wg0-f42.google.com (mail-wg0-f42.google.com [74.125.82.42]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DA191ACD81 for <ietf@ietf.org>; Sat, 17 Jan 2015 06:37:30 -0800 (PST)
Received: by mail-wg0-f42.google.com with SMTP id k14so24978460wgh.1 for <ietf@ietf.org>; Sat, 17 Jan 2015 06:37:29 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=MtW5p68rT5LRJyBhEKgM1ggGDA0jtdb6n374/H+Yzew=; b=fzvPCxQjx3dsor7EqL8IhcAyiH6QwLQKV2g/DPZnwYwgYsrsXNDPgaZDKjvFLxAZ/O l+HMT2dwE4Am9onDTqtvTHHUS/jNMDZL4XecKTsLD5SiK7qT5PlWaVGBTasbQXxOr11O ICStnf8iwWQHfheEQiSFR8Sg1YpGxGS7kOdVB/bBxFn74i9z+HX1ubDXp3s6SDat+Psu QaUWArYDloZcKWLeT7OOXrMXS4xkY/zGuo7j2wFWCZ+9qD96ZiJBsKlEIHgWj1BHDAmn c64SX/EnJPyUM8+ppYi19rJTGvxtwCIZac+PU4PWfF+BIcutl+7RrusE4zAB4+LoLw6S XNgg==
X-Gm-Message-State: ALoCoQn9YCgzCjJ6jNXpYOS9SxN+2io58OkJMasULBeA+ad6JJUBVM/iucehRqT4WJFvc1Wu2Dbb
X-Received: by 10.180.109.45 with SMTP id hp13mr16409249wib.4.1421505449361; Sat, 17 Jan 2015 06:37:29 -0800 (PST)
MIME-Version: 1.0
Received: by 10.27.142.215 with HTTP; Sat, 17 Jan 2015 06:36:47 -0800 (PST)
In-Reply-To: <CAFewVt6EOf7VVfuavqccsz_0CDjPXbsG=qWPZQ61=2pk4XVKmw@mail.gmail.com>
References: <20150109180539.22231.7270.idtracker@ietfa.amsl.com> <20150116210327.61046788@pc> <CAL9PXLyeE+Nh5hKf3zigDHe3UXpNrMr=Dn14WudsaKUwvzprTw@mail.gmail.com> <CAFewVt6EOf7VVfuavqccsz_0CDjPXbsG=qWPZQ61=2pk4XVKmw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 17 Jan 2015 06:36:47 -0800
Message-ID: <CABcZeBMhgwdMyD4SpHD8Uh3JXEtO3x14soDAFdvXecfyeMwvsg@mail.gmail.com>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
To: Brian Smith <brian@briansmith.org>
Content-Type: multipart/alternative; boundary="e89a8f3bae995b1801050cda0783"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/12Zb_LDqnOm-soCgzaneBuMKTXM>
Cc: Hanno Böck <hanno@hboeck.de>, "tls@ietf.org" <tls@ietf.org>, Adam Langley <agl@google.com>, IETF discussion list <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Jan 2015 14:37:33 -0000

On Fri, Jan 16, 2015 at 1:19 PM, Brian Smith <brian@briansmith.org> wrote:

> Adam Langley <agl@google.com> wrote:
> > On Fri, Jan 16, 2015 at 12:03 PM, Hanno Böck <hanno@hboeck.de> wrote:
> >> Recently Mozilla has disabled the now so-called protocol dance, which
> >> makes adding another workaround (SCSV) pretty much obsolete:
> >
> > Until they add TLS 1.3 support, when they'll need it again.
>
> I don't think so, because we can change the way versions are
> negotiated for TLS 1.3, so that the issue doesn't arise. In
> particular, we can keep ClientHello.client_version as 0x0303 (TLS 1.2)
> and negotiate TLS 1.3 with an extension.
>
> Also, the rate of TLS 1.3 intolerance might be significantly lower
> than projected. Ivan's numbers are based on a ClientHello with 0x0304
> (TLS 1.3) as the record-layer version number. We know from past
> experience working on NSS that 0x0301 (TLS 1.0) is a more compatible
> record-layer version number. I think it was established that many
> servers work fine when ClientHello.client_version = 0x0304 (TLS 1.3)
> as long as the record-layer version number is 0x0301 (TLS 1.0) but
> break when then record-layer vsion is 0x0304 (TLS 1.3). We'll need to
> measure this in a more definitive way, but there's reason to be
> optimistic.


Thanks for the detail. I've been planning to run some experiments using
Firefox Telemetry, but haven't gotten around to them yet. More when
I have them.

-Ekr


>
>
Cheers,
> Brian
>
>

v2.23.0 | Report a Bug | By Email