IETF Logo Mail Archive

Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard

Watson Ladd <watsonbladd@gmail.com> Fri, 16 January 2015 20:38 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E0721B2B97; Fri, 16 Jan 2015 12:38:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.301
X-Spam-Level:
X-Spam-Status: No, score=0.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MANGLED_BACK=2.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5n2byFt6Cu1q; Fri, 16 Jan 2015 12:38:55 -0800 (PST)
Received: from mail-yk0-x233.google.com (mail-yk0-x233.google.com [IPv6:2607:f8b0:4002:c07::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D1861B2B9C; Fri, 16 Jan 2015 12:38:55 -0800 (PST)
Received: by mail-yk0-f179.google.com with SMTP id 19so10467128ykq.10; Fri, 16 Jan 2015 12:38:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=QONugxw1p+AKBJcVH4qsBnXaKZ4bht5LYKBv/cU3xRY=; b=FW8f1lNIdDci6wKR/8EVS5TBH3/Om6kPgSlNaIMdjvyne751l5DWztOfJO1VDrqkdB crsoPUdNvCpzaOCo2j8oWaNYAl7vk6Hau2L1Cm9nARIrbij7tUHDYhztrOZ6r1L4h6Zq U2G2Nr3f1S90q6Dmvx8Cv9r1u6oejKQsHApbpji9pH1JL7ZzD9NqDIpQd2vDIJWNzebt CDpAVSC2H/gcet6VFy5LcnZTXhUSu5aPu/UtANntzbZKjUgCAhLE181J/CcZTopt2RkG fsLwcZBCz17jAmrHPMjmAExCFCBMpgn9JGxXHEIXRY3UoLuwfVq0DfaLDux7/L7IfXc8 Gd/g==
MIME-Version: 1.0
X-Received: by 10.170.91.194 with SMTP id i185mr12453216yka.20.1421440734697; Fri, 16 Jan 2015 12:38:54 -0800 (PST)
Received: by 10.170.207.6 with HTTP; Fri, 16 Jan 2015 12:38:54 -0800 (PST)
Received: by 10.170.207.6 with HTTP; Fri, 16 Jan 2015 12:38:54 -0800 (PST)
In-Reply-To: <BN3PR0301MB12509A9375A4C24F6D8208B18C4F0@BN3PR0301MB1250.namprd03.prod.outlook.com>
References: <20150109180539.22231.7270.idtracker@ietfa.amsl.com> <20150116210327.61046788@pc> <BLU177-W27326CC964968EABAFED09C34F0@phx.gbl> <BN3PR0301MB12509A9375A4C24F6D8208B18C4F0@BN3PR0301MB1250.namprd03.prod.outlook.com>
Date: Fri, 16 Jan 2015 12:38:54 -0800
Message-ID: <CACsn0ckGYGFqEwR-7bpjZ=OYPs-mfD6NtdFaKZ4+Co01SvCxww@mail.gmail.com>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
From: Watson Ladd <watsonbladd@gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: multipart/alternative; boundary="001a1139775e0fa2ec050ccaf68d"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/KwatY_h3sHwbFp8Fu_maL24O_0U>
X-Mailman-Approved-At: Tue, 20 Jan 2015 08:02:53 -0800
Cc: Yuhong Bao <yuhongbao_386@hotmail.com>, Hanno Böck <hanno@hboeck.de>, "<ietf@ietf.org>" <ietf@ietf.org>, "tls@ietf.org" <tls@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jan 2015 20:38:57 -0000

On Jan 16, 2015 12:14 PM, "Andrei Popov" <Andrei.Popov@microsoft.com> wrote:
>
> > This does not mean that every browser will do it.
>
> True, but if FF is able to stick with this, and roll it out into
production, that's a strong indication that other browsers may be able to
do the same. And, of course, this eliminates the fallback problem at the
root.
>
> One remaining issue, however, is reported high rates of TLS 1.3 version
intolerance.

Why are we insisting on increasing on the wire version numbers for TLS 1.3,
instead of using the extension mechanism, even though we know this will
cause adoption problems?

Sincerely,
Watson Ladd
>
> Cheers,
>
> Andrei
>
> -----Original Message-----
> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Yuhong Bao
> Sent: Friday, January 16, 2015 12:05 PM
> To: Hanno Böck; tls@ietf.org
> Cc: ietf@ietf.org
> Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS
Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol
Downgrade Attacks) to Proposed Standard
>
> This does not mean that every browser will do it.
>
> ----------------------------------------
> Date: Fri, 16 Jan 2015 21:03:27 +0100
> From: hanno@hboeck.de
> To: tls@ietf.org
> CC: ietf@ietf.org
> Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS
Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol
Downgrade Attacks) to Proposed Standard
>
>
> Recently Mozilla has disabled the now so-called protocol dance, which
makes adding another workaround (SCSV) pretty much obsolete:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1084025#c7
>
> And a few days ago mozilla dev Brian Smith tweetet this:
> "Fx experiment to disable non-secure TLS version fallback is going even
better than expected. Starting to feel silly for delaying it so long."
> https://twitter.com/BRIAN_____/status/555138042428526593
>
> I think this adds further evidence that adding another workaround layer
> (SCSV) is the wrong thing to do. Instead browsers should just stop doing
weird things with protocols that compromise security and drop the protocol
dance completely.
>
> (By the way: Has anyone thought what happens when people implement TLS
hardware that is version intolerant to versions> 1.2 and at the same time
send SCSV in the handshake? I'm pretty sure that at some point some
hardware will appear that does exactly that. Will we need another SCSV
standard for every TLS version then?)
>
> --
> Hanno Böck
> http://hboeck.de/
>
> mail/jabber: hanno@hboeck.de
> GPG: BBB51E42
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email