IETF Logo Mail Archive

Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv

Yoav Nir <synp71@live.com> Sun, 26 January 2014 14:12 UTC

Return-Path: <synp71@live.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACE061A012B for <tls@ietfa.amsl.com>; Sun, 26 Jan 2014 06:12:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ptPd0G6hIwSY for <tls@ietfa.amsl.com>; Sun, 26 Jan 2014 06:12:26 -0800 (PST)
Received: from blu0-omc3-s15.blu0.hotmail.com (blu0-omc3-s15.blu0.hotmail.com [65.55.116.90]) by ietfa.amsl.com (Postfix) with ESMTP id 3BC2A1A011A for <tls@ietf.org>; Sun, 26 Jan 2014 06:12:26 -0800 (PST)
Received: from BLU0-SMTP173 ([65.55.116.73]) by blu0-omc3-s15.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sun, 26 Jan 2014 06:12:24 -0800
X-TMN: [3We93v/C59r9FX+acXhM6HtYs77hmji1]
X-Originating-Email: [synp71@live.com]
Message-ID: <BLU0-SMTP1738DF906BCBD666044DA2AB1A30@phx.gbl>
Received: from ynir-MBA.local ([194.29.32.131]) by BLU0-SMTP173.phx.gbl over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Sun, 26 Jan 2014 06:12:22 -0800
Date: Sun, 26 Jan 2014 16:12:10 +0200
From: Yoav Nir <synp71@live.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
References: <CABcZeBP_-MUonYYsxgz2ZdokiEDVhx4mYq1a4BMayuGbbxb2Gg@mail.gmail.com>
In-Reply-To: <CABcZeBP_-MUonYYsxgz2ZdokiEDVhx4mYq1a4BMayuGbbxb2Gg@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms050300070506050004010809"
X-OriginalArrivalTime: 26 Jan 2014 14:12:22.0246 (UTC) FILETIME=[A16DF060:01CF1AA0]
Subject: Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jan 2014 14:12:27 -0000

On 23/1/14 12:06 PM, Eric Rescorla wrote:
> WG Members,
>
> This message is a call for acceptance of
> http://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-01
>
> As a TLS WG item.
>
> Please provide any comments on this action by Feb 7. Because
> there has been only modest discussion of this document, the
> chairs ask people who have already spoken in favor or against
> this document to re-register their opinion (feel free to just say
> +1 or -1 and point back to the archives.)

+0.5

I'm not opposed to this document, but we should be realistic as to what 
this solution can accomplish.

This extension (I use this term in the sense of protocol extension, not 
TLS ClientHello Extension) will not protect the client or the server 
from a TLS proxy. TLS proxies that do not support high versions of TLS 
will negotiate both the client and the server down to TLS 1.0, and will 
not forward the SCSV.

Also, older servers will not recognize the SCSV and ignore it. So to 
have this extension add any value, all of the following much be true:
  - an updated server
  - an updated client
  - Something that causes the negotiation to fail. This something could 
be the client, the server, or something in between. The goal of this 
extension is to catch the something in the middle.

So presumably, the server blocks the connection, or returns a 
poorly-protected error page whenever it gets the SCSV. But this could be 
caused by a MitM that drops negotiations that have a too-high TLS 
version, or by client bugs or by server bugs. Broadly speaking, I think 
there are four failure scenarios:
  1. either the (updated) client or the (updated) server have bugs that 
caused the TLS 1.2 handshake to fail.
  2. The (updated) client has a bug causing it to send the SCSV even 
though no downgrade happened
  3. An attacker is on-path and is dropping TLS 1.2 because it can break 
TLS 1.2.
  4. An older firewall is dropping the TLS 1.2 connections, because they 
fail some sanity check. (that all TLS records have 3.0 or 3.1 in the 
record header)

So the extension makes sense if #3 is the likely scenario for failure. 
Any failure for the other reasons is kind of "collateral damage" that I 
don't think is justified in a world where TLS 1.0 is not considered so 
terrible as to disable it entirely. So I guess we need to hear some 
real-world experience about where most such failures would come from.  
Of course, we don't have any data *now* about buggy updated servers, so 
we'd have to guess how many and what kind of bugs are going to be 
present in not-yet-written code.

Yoav

v2.23.0 | Report a Bug | By Email