Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard

[Xiaoyin Liu <xiaoyin.l@outlook.com>]

My argument is that suppose 50% websites support fallback SCSV now, 48% websites do not support SCSV but are version tolerant, and less than 2% are version intolerant. Is it worth to sacrifice the security of the 48%, to make the 2% "just work"?

I also want to point out that disabling RC4 and deprecating SHA-1 certificates will break some sites as well. Why could browsers afford that, but insist on doing downgrade dance?
________________________________
From: Bodo Moeller<mailto:bmoeller@acm.org>
Sent: ‎1/‎21/‎2015 10:11
To: tls@ietf.org<mailto:tls@ietf.org>
Cc: Xiaoyin Liu<mailto:xiaoyin.l@outlook.com>; Yoav Nir<mailto:ynir.ietf@gmail.com>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard

Yoav Nir <ynir.ietf@gmail.com>:

Also I want to point out that if even as few as 1.6% sites won't upgrade
> their servers, can we count on most of the rest 98% supporting SCSV?
>
>
> This is a strong argument, especially if we could obtain a list of
> high-value sites in the sense that the data on them is high-value. Sites
> like Facebook, banking, shops, email providers, dating sites, and check
> those.
>

I must admit I don't quite understand what the argument here is (sorry),
but in any case let me point out this:

If even just a *single* high-value site that you, personally, use does
support the SCSV, you'll benefit from the SCSV (provided that you're using
a browser that does a downgrade dance for compatibility with other servers
and sends the SCSV in downgraded Client Hello messages).

Bodo