Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
mrex@sap.com (Martin Rex) Sat, 17 January 2015 04:57 UTC
Return-Path: <mrex@sap.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 070401B2AE8; Fri, 16 Jan 2015 20:57:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GEmi9y9oZxdY; Fri, 16 Jan 2015 20:57:02 -0800 (PST)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A467D1A914E; Fri, 16 Jan 2015 20:57:02 -0800 (PST)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 41F973A3A8; Sat, 17 Jan 2015 05:57:00 +0100 (CET)
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 34BB94178B; Sat, 17 Jan 2015 05:57:00 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id 2E3801B0FA; Sat, 17 Jan 2015 05:57:00 +0100 (CET)
Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
In-Reply-To: <20150116230810.CA2D91B0FA@ld9781.wdf.sap.corp>
To: mrex@sap.com
Date: Sat, 17 Jan 2015 05:57:00 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20150117045700.2E3801B0FA@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/i9SVe4Ux1AR1L2vb-OvHFNSY07Q>
Cc: ietf@ietf.org, "tls@ietf.org" <tls@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Jan 2015 04:57:05 -0000
Martin Rex wrote: > > Adding the aggressive automatic silent fallback reconnects > (the "downgrade dance") to browser was not very smart. The problems > such fallbacks create was extensively discussed in the TLS WG in late 2009 > (renegotiation issue that resulted in rfc5746). > > Making repetitive/frequent downgrades (e.g. more than 1 full handshake > per host per hour) an interactive user opt-in, rather than the automatic > silent can-not-be-disabled-by-user nuisance and security problem that it > currently is, would immediately provide significant protection > -- and entirely without server-side changes. As a bonus, this would also > help in identifying/reminding on server software/devices that should > probably be updated. For quite a while, Yngve Petterson has been proposing a scheme to limit the downgrade dance problem (and willingness of clients/browsers to perform the downgrade dance), that will work immediately, not require and server-side changes, and without all of the massive serious operational problems of the current fallback-scsv proposal: https://tools.ietf.org/html/draft-pettersen-tls-version-rollback-removal-03 Rubber-Stamping the fallback-scsv hack onto the standards track is IMHO a very bad idea. I've once heard the saying "If you can't be good, at least be good at it." If Browsers (and the few, if any) other TLS clients that are currently doing the dangerous downgrade dances, can't be good and stop doing such dangerous stuff, they should at least do this in a much less risky fashion than what they're currently doing. ... such as adopting Yngve's approach above and do not perform downgrades without interactive user confirmation where Yngve's proposal asks for a handshake failure. bottom line: I am violently opposed to making the fallback-scsv document a proposed standard. -Martin
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Stephen Farrell
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Stephen Farrell
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- RE: Last Call: <draft-ietf-tls-downgrade-scsv-03.… Salz, Rich
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Brian Smith
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yoav Nir
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Eric Rescorla
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Adam Langley
- RE: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Andrei Popov
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Colm MacCárthaigh
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Hanno Böck
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Jeffrey Walton
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Watson Ladd
- RE: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yuhong Bao
- RE: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yuhong Bao
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Henrik Grubbström
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Hubert Kario
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael D'Errico
- Re: Last Call: <draft-ietf-tls-downgrade-scsv-03.… Stephen Farrell
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller