Re: [TLS] 1rtt thoughts

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 14 July 2014 21:22 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 100D01A0118 for <tls@ietfa.amsl.com>; Mon, 14 Jul 2014 14:22:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZadwVT6NPwPN for <tls@ietfa.amsl.com>; Mon, 14 Jul 2014 14:22:27 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 55C7C1A010F for <tls@ietf.org>; Mon, 14 Jul 2014 14:22:26 -0700 (PDT)
Received: from [10.70.10.130] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id AA619F984 for <tls@ietf.org>; Mon, 14 Jul 2014 17:22:23 -0400 (EDT)
Message-ID: <53C44A03.4070603@fifthhorseman.net>
Date: Mon, 14 Jul 2014 17:22:11 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Icedove/30.0
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <53C41080.9050204@nthpermutation.com> <CAMfhd9VjAjdgkrYY-YXyqtgZ95gK=qHMgkv3Sv2uou7HLT2eyg@mail.gmail.com> <CABcZeBO0OcS6LCuLBN-qgo_M2jNr4EwE65tN4fmJ93qTuJyDFw@mail.gmail.com> <53C4385A.7030007@nthpermutation.com>
In-Reply-To: <53C4385A.7030007@nthpermutation.com>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="rvkXDhewj461Hom9MjplinGb2v01PAbt6"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/2337-3SPtKNwGZSq7LZXOQ-oMOo
Subject: Re: [TLS] 1rtt thoughts
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jul 2014 21:22:30 -0000

On 07/14/2014 04:06 PM, Michael StJohns wrote:

> From the server's side this looks like two different connections. From
> the client side, it's just negotiating to the right suite.

I'm not sure what toolkit presents this as two different connections on
the server side.  This closure and reopening smells very much like
problems we fixed with insecure renegotiation only a few years ago.  A
TLS toolkit capable of keeping the underlying transport open while
restarting a new TLS session would need to be very clear about how it
presents such a transition to the upper-layer logic, if we don't want
another round of prefix-injection attacks.

I recognize that this is an API question more than a protocol question,
and therefore at the edge of scope for the WG.  But we've seen enough
problematic APIs that cause applications to lose the security guarantees
that the protocol is supposed to provide that i can't help thinking we
should take these concerns seriously.

	--dkg