[secdir] SecDir review of draft-ietf-tls-downgrade-scsv-03

Yoav Nir <ynir.ietf@gmail.com> Sun, 18 January 2015 17:10 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53EA01ACD70; Sun, 18 Jan 2015 09:10:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ybCNoWlLjpNy; Sun, 18 Jan 2015 09:10:44 -0800 (PST)
Received: from mail-we0-x230.google.com (mail-we0-x230.google.com [IPv6:2a00:1450:400c:c03::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3082E1ACD59; Sun, 18 Jan 2015 09:10:44 -0800 (PST)
Received: by mail-we0-f176.google.com with SMTP id w62so1198646wes.7; Sun, 18 Jan 2015 09:10:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:message-id:date :to:mime-version; bh=n85pd8pZMuDGm7RYtA+J6+u08LV1C8Kqd4W3ycuZ6A4=; b=TeoNOavRRl40ByrHZgFp0ZqS29AeGSGTdg/mY9NtzsrMZm2fFxsnQlfWkKnPRblm3e e37/lPUhgugA0OIgQa8bIM72AQR5eVFkc/RbNzNDHbmvJ2xuRcEesZZlIQD0WI0oMKoZ 2FNsWTCLVVHwpASwYFY0XL2RxGiLM3MFnFaxIGkP1mn3QlGjMb654jdxw1nQ9Dyr+Rl6 SzHgiK/32k8XmHSi+bgSCb/tOvaARqHatLxaTn9+Tl9RdzUtRhKXR+vc7HuMPo0B/x7I rK38ekNibEMDvdtUSow3/i7SgL8aRXmJ2NyqZ+mNw43TsxIekKev4mUWTwu3nCD3dmcj xrzw==
X-Received: by 10.194.9.4 with SMTP id v4mr51451159wja.115.1421601042958; Sun, 18 Jan 2015 09:10:42 -0800 (PST)
Received: from [10.4.162.54] ([80.179.9.115]) by mx.google.com with ESMTPSA id bo5sm8710557wjc.39.2015.01.18.09.10.34 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 18 Jan 2015 09:10:42 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Message-Id: <B85F10BC-18FD-4220-B5E2-719068E814CC@gmail.com>
Date: Sun, 18 Jan 2015 19:10:12 +0200
To: draft-ietf-tls-downgrade-scsv.all@tools.ietf.org, secdir <secdir@ietf.org>, The IESG <iesg@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
X-Mailer: Apple Mail (2.1993)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/vo9YFnsKL62w7Le8833GGWL8t04>
Subject: [secdir] SecDir review of draft-ietf-tls-downgrade-scsv-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Jan 2015 17:10:46 -0000

Fear not, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written with the intent of improving security requirements and considerations in IETF drafts.  Comments not addressed in last call may be included in AD reviews during the IESG review.  Document editors and WG chairs should treat these comments just like any other last call comments.

I believe this document is ready for publication with a few minor issues.

The draft describes a mechanism for mitigating the security issue introduced by TLS version fallback mechanisms. TLS servers exist that do not conform to the TLS RFCs with regards to version negotiation. Such servers fail the negotiation even when there is a version of TLS that is supported by both them and the client. To interoperate with such servers, clients often retry the TLS handshake at a lower version. This is sometimes called the "downgrade dance". The downgrade dance allows a version downgrade to happen by either an active attacker or because of a network glitch.  This document introduces an indication in the TLS ClientHello that tells the server that a downgrade dance is in effect, allowing the server to terminate such a connection.

There has been much discussion on the TLS list about the downgrade dance being inherently insecure, and that publishing this document can be perceived as "blessing" this practice. The draft takes no position for or against, but rather assumes that the practice exists, and seeks to prevent such downgrades that are not necessary for connectivity. 

The Security Considerations section has some strange text about omitting the SCSV when "the protocol version given by ClientHello.client_version still provides an acceptable level of protection". This implies that it is appropriate to use a protocol version that does not provide and acceptable level of protection as long as the client sends the SCSV. This is not the case, and this is the reason that several browsers are disabling the downgrade to SSLv3. I realize it is difficult to write text that turns the secure/insecure dichotomy into a trichotomy (secure/so-so secure/insecure), but if we're going to make including the SCSV optional we need such text.

A scenario that bothers me is a server that returns an inappropriate_fallback whenever it receives a TLS_FALLBACK_SCSV with version TLS 1.1, but breaks at TLS 1.2. Such an (admittedly broken) server could potentially send the client into an endless loop of regular and fallback handshake attempts. An attacker could simulate this by RST-ing all TCP connections with TLS 1.2 in ClientHello. I think the draft should warn against doing the regular-fallback-regular cycle more than once. IOW: after receiving the alert, clients MUST NOT perform the downgrade dance on the following connection. Especially, don't implement the following downgrade dance:
 - regular handshake
 - fallback with SCSV
 - regular handshake
 - fallback without SCSV
If anyone ends up feeling the need to implement this, then we've failed miserably.

Nits and minor issues:

Since the client speaks first, it would make sense to have section 4 (Client Behavior) before section 3 (Server Behavior). Section 3 describes how the server responds to this SCSV when the document had only hinted about when the client should send it.

The IANA Considerations are very confusing, saying on the one hand that no values have been allocated, and on the other hand that IANA has assigned 0x56,0x00. Unless the authors are requesting that IANA assign the numbers that they have used in early implementations, it's better to just write "IANA is requested to assign..." and replace the numbers in the rest of the documents with TBDs (if you leave actual numbers and IANA assigns different identifiers, it's likely to be overlooked by the RFC editor).

A few missing articles:
"The fallback SCSV defined in this document is not *a* suitable substitute"
"if *the* TLS implementations also include support for (the) predecessor protocol SSL 3.0"

Yoav