IETF Logo Mail Archive

RE: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard

Yuhong Bao <yuhongbao_386@hotmail.com> Mon, 19 January 2015 08:01 UTC

Return-Path: <yuhongbao_386@hotmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B2B71ACEBD; Mon, 19 Jan 2015 00:01:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.66
X-Spam-Level:
X-Spam-Status: No, score=-0.66 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 20BecAGNQ1ju; Mon, 19 Jan 2015 00:01:57 -0800 (PST)
Received: from BLU004-OMC3S32.hotmail.com (blu004-omc3s32.hotmail.com [65.55.116.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CAE91AD17F; Mon, 19 Jan 2015 00:01:57 -0800 (PST)
Received: from BLU177-W42 ([65.55.116.74]) by BLU004-OMC3S32.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22751); Mon, 19 Jan 2015 00:01:56 -0800
X-TMN: [MRhLzkU2H23UEjszIlYRKPdhvjc7RmKD]
X-Originating-Email: [yuhongbao_386@hotmail.com]
Message-ID: <BLU177-W42E124113DFDD1AAA69EAAC34A0@phx.gbl>
From: Yuhong Bao <yuhongbao_386@hotmail.com>
To: Bodo Moeller <bmoeller@acm.org>, "ietf@ietf.org" <ietf@ietf.org>
Subject: RE: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
Date: Mon, 19 Jan 2015 00:01:55 -0800
Importance: Normal
In-Reply-To: <CADMpkc+=_Z6u272x9j5p_U=1SzkibE3Mr7trabOSecd46vFfgg@mail.gmail.com>
References: <20150109180539.22231.7270.idtracker@ietfa.amsl.com>, <20150116210327.61046788@pc>, <CADMpkcKkdhiEpJSUzsk-rEtCLhYgfMSzcFAwtVzYb96EK2hhZQ@mail.gmail.com>, <CAH8yC8k+H0P=R4nRMnf+G=B4wTjPmvGGeBvPwfiozauk+-ZxAw@mail.gmail.com>, <CADMpkc+=_Z6u272x9j5p_U=1SzkibE3Mr7trabOSecd46vFfgg@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 19 Jan 2015 08:01:56.0329 (UTC) FILETIME=[31A2A590:01D033BE]
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/sOINVuITuNoUi5YN1M9ZpOIDGRA>
X-Mailman-Approved-At: Tue, 20 Jan 2015 08:05:27 -0800
Cc: "tls@ietf.org" <tls@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jan 2015 08:01:59 -0000


________________________________
> Date: Sun, 18 Jan 2015 21:12:01 +0100 
> From: bmoeller@acm.org 
> To: ietf@ietf.org 
> CC: tls@ietf.org 
> Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> 
> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing 
> Protocol Downgrade Attacks) to Proposed Standard 
> 
> Jeffrey Walton <noloader@gmail.com<mailto:noloader@gmail.com>>: 
> Bodo Moeller <bmoeller@acm.org<mailto:bmoeller@acm.org>> wrote: 
> 
>> Also, quite clearly, we can't yet know how the TLS 1.3 (1.4, 1.5, ...) 
>> rollout will work out. 
> 
> The WG should be solving problems that do exist; and not manufactured 
> problems or theoretical future problems that don't exist. 
> 
> I can't entirely agree with second part of this statement: presumably 
> everyone in the TLS WG is well aware of past design decisions that 
> didn't take into account problems that didn't exist then but should 
> have been foreseeable. (Related: I really shouldn't have had to 
> write https://www.openssl.org/~bodo/ssl-poodle.pdf to kill off the 
> fallback to SSL 3.0 in practice ... the "insecure fallback" to earlier 
> protocol versions, including SSL 3.0, was a known "theoretical 
> problem", and deserving of being addressed independently of concrete 
> attacks). 
POODLE being in the news probably helped pushed admins to fix these servers, 
though it wasn't initially made clear that TLS extension intolerance can also cause SSLv3 fallback.

v2.23.0 | Report a Bug | By Email