Re: [TLS] Rethink TLS 1.3

Brian Smith <brian@briansmith.org> Mon, 24 November 2014 19:27 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9D0F1A870B for <tls@ietfa.amsl.com>; Mon, 24 Nov 2014 11:27:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mpQn5kOQasKb for <tls@ietfa.amsl.com>; Mon, 24 Nov 2014 11:27:13 -0800 (PST)
Received: from mail-oi0-f48.google.com (mail-oi0-f48.google.com [209.85.218.48]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80D2F1A700A for <tls@ietf.org>; Mon, 24 Nov 2014 11:27:13 -0800 (PST)
Received: by mail-oi0-f48.google.com with SMTP id u20so7047444oif.35 for <tls@ietf.org>; Mon, 24 Nov 2014 11:27:12 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=bstCxcolFZYKVyCYx8YejclXOS6GCQEfwtKwz5U/V1w=; b=bORitSce6ZRg8Lyt89JUXoUxBJL/8anTqFb7eKTHD0rIRQmu8f3ICTf6Yc8VT5c5JP Kfj3Qib+dKhTDIFmb8+qPhY52lT/HMAbu5R+zHd4t5slpoZaOHRUZn9ql0hrNuyCP4UK 6C0UyVpr+CAJmm1PMyD2RLaWOGqGAfEpIa2rlG5Ko4HzdgfpfP51GFsaEByV/OmOghp4 t3aL4ZM6LQJxLUBZZVDNuAbMoGUaNvp4d+jPndhIKHhvS/saM8rGo7jBnq9EZQTbFh5K 67b7fLulon83JW2Mge8H2awtsTHQd0LwEnBtpovUQNwvYID5jFlrtBgg2J3nkfnOzwHK A1QQ==
X-Gm-Message-State: ALoCoQlEzXy+s6p7YQqOjtIqHGBxmVPNs5xOjmmog5DGH/A04tBjJ5ypj6xgWMLAoX6DEq868GrD
MIME-Version: 1.0
X-Received: by 10.182.210.232 with SMTP id mx8mr13684787obc.46.1416857232827; Mon, 24 Nov 2014 11:27:12 -0800 (PST)
Received: by 10.76.19.144 with HTTP; Mon, 24 Nov 2014 11:27:12 -0800 (PST)
In-Reply-To: <20141124171320.45D2D1B004@ld9781.wdf.sap.corp>
References: <20141124170257.GJ3200@localhost> <20141124171320.45D2D1B004@ld9781.wdf.sap.corp>
Date: Mon, 24 Nov 2014 11:27:12 -0800
Message-ID: <CAFewVt4GEKz7onq182mzyMsCesko89Rad4EFY8=oUWP-orF7ug@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: mrex@sap.com
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/-PRrgjvWHMz0fZl-10gX27CasGA
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Rethink TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Nov 2014 19:27:16 -0000

Martin Rex <mrex@sap.com> wrote:
> 5 years ago there was an exhausting discussion in this WG about how to
> fix the TLS renegotiation issue.  The problem had been considered so huge,
> that a secret group (Project Mogul) had been setup to design (and have
> patches shipped) before the issue was publicly described.

In terms of deployment of the solution, that approach wasn't
successful, as the secure renegotiation extension is far from
ubiquitous. The secret group designed a solution to solve the
renegotiation flaw but not the quite similar Triple Handshake flaw. It
would be interesting to know if somebody had proposed a (rejected)
solution for the renegotiation flaw that would have also fixed the
Triple Handshake flaw. In particular, we should recognize that the
"conservative" approach of making minimal changes to address
individual issues has negative consequences. Further, the
renegotiation flaw, BEAST, CRIME, Triple Handshake, etc. all should be
seen as evidence that the development model for TLS should shift to
one that is likely to preempt unknown attacks, instead of one that
reacts to attacks.

> Please stop claiming that providing so much control to an attacker
> as something that is (or should be) normal, rather than considering
> providing so much control to attackers as what it really is:
> a huge and gaping vulnerability in Web-Browsers and in the
> (lack of a) Web Security Model.

Attackers having that level of control is normal for people who build
software for the web, which is a very large group of people in the TLS
community. Ultimately, this means that adaptive chosen plaintext
attacks and other negative consequences of the web security model are
well within scope.

Cheers,
Brian