IETF Logo Mail Archive

Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard

mrex@sap.com (Martin Rex) Sat, 17 January 2015 04:57 UTC

Return-Path: <mrex@sap.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 070401B2AE8; Fri, 16 Jan 2015 20:57:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GEmi9y9oZxdY; Fri, 16 Jan 2015 20:57:02 -0800 (PST)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A467D1A914E; Fri, 16 Jan 2015 20:57:02 -0800 (PST)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 41F973A3A8; Sat, 17 Jan 2015 05:57:00 +0100 (CET)
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 34BB94178B; Sat, 17 Jan 2015 05:57:00 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 2E3801B0FA; Sat, 17 Jan 2015 05:57:00 +0100 (CET)
Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
In-Reply-To: <20150116230810.CA2D91B0FA@ld9781.wdf.sap.corp>
To: mrex@sap.com
Date: Sat, 17 Jan 2015 05:57:00 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150117045700.2E3801B0FA@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/i9SVe4Ux1AR1L2vb-OvHFNSY07Q>
Cc: ietf@ietf.org, "tls@ietf.org" <tls@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Jan 2015 04:57:05 -0000

Martin Rex wrote:
> 
> Adding the aggressive automatic silent fallback reconnects
> (the "downgrade dance") to browser was not very smart.  The problems
> such fallbacks create was extensively discussed in the TLS WG in late 2009
> (renegotiation issue that resulted in rfc5746).
> 
> Making repetitive/frequent downgrades (e.g. more than 1 full handshake
> per host per hour) an interactive user opt-in, rather than the automatic
> silent can-not-be-disabled-by-user nuisance and security problem that it
> currently is, would immediately provide significant protection
> -- and entirely without server-side changes.  As a bonus, this would also
> help in identifying/reminding on server software/devices that should
> probably be updated.

For quite a while, Yngve Petterson has been proposing a scheme to
limit the downgrade dance problem (and willingness of clients/browsers
to perform the downgrade dance), that will work immediately, not require
and server-side changes, and without all of the massive serious operational
problems of the current fallback-scsv proposal:

  https://tools.ietf.org/html/draft-pettersen-tls-version-rollback-removal-03


Rubber-Stamping the fallback-scsv hack onto the standards track is
IMHO a very bad idea.

I've once heard the saying "If you can't be good, at least be good at it."

If Browsers (and the few, if any) other TLS clients that are currently
doing the dangerous downgrade dances, can't be good and stop doing
such dangerous stuff, they should at least do this in a much less
risky fashion than what they're currently doing.

... such as adopting Yngve's approach above and do not perform downgrades
without interactive user confirmation where Yngve's proposal asks for a
handshake failure.


bottom line:  I am violently opposed to making the fallback-scsv
document a proposed standard.


-Martin

v2.23.0 | Report a Bug | By Email