IETF Logo Mail Archive

Re: [TLS] Deprecating SSLv3

Hubert Kario <hkario@redhat.com> Mon, 24 November 2014 17:43 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C42541A8735 for <tls@ietfa.amsl.com>; Mon, 24 Nov 2014 09:43:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K40cqgoQdPIX for <tls@ietfa.amsl.com>; Mon, 24 Nov 2014 09:43:16 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5259B1A19EF for <tls@ietf.org>; Mon, 24 Nov 2014 09:43:16 -0800 (PST)
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id sAOHhFoh027992 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 24 Nov 2014 12:43:15 -0500
Received: from pintsize.usersys.redhat.com (dhcp-0-150.brq.redhat.com [10.34.0.150]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id sAOHhEGc014238 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Mon, 24 Nov 2014 12:43:15 -0500
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Mon, 24 Nov 2014 18:43:13 +0100
Message-ID: <1572947.5ky0fL2FGE@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.2 (Linux/3.16.7-200.fc20.x86_64; KDE/4.14.2; x86_64; ; )
In-Reply-To: <20141124170622.5315A1B004@ld9781.wdf.sap.corp>
References: <20141124170622.5315A1B004@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/27wETkxLOl67dOfXbeWpW7-qiDg
Subject: Re: [TLS] Deprecating SSLv3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Nov 2014 17:43:17 -0000

On Monday 24 November 2014 18:06:22 Martin Rex wrote:
> Hubert Kario wrote:
> > Anyway, you should file a complaint to the manufacturer that it haven't
> > addressed the POODLE vulnerability in their product (or that it doesn't
> > implement advertised protocols properly).
> 
> Poodle is a *PURE* Web-Browser and client problem.
> Servers are not vulnerable to Poodle, and this site *REQUIRES*
> TLS client certs for authentication.
> 
> Disabling SSLv3 on servers is only a practical mitigation against
> the stupid "downgrade dance" that so many browsers perform.
> It's difficult for me to understand how someone could implement
> the downgrade dance and *NOT* provide a switch to turn it off after
> addressing the rfc5746 tls renegotiation issue.

To exploit POODLE you need fallback dance *or* support just SSLv3. It's not 
limited to web browsers (and there are some clients that do fallback and are 
not browsers, e.g. curl).

Also, are you saying that an *automated* system won't retry on connection 
failure?

We're talking about average of 128 failed requests per byte decrypted, even if 
we fail just every first connection on a system that queries remote server 
every 5 minutes 24/7 that will require just a month to decrypt 16 byte 
password/authentication string. There have been far more dedicated and longer 
attacks in the wild.

SSLv3 has known security problems, more issues may be discovered in the 
future... or not (as the researchers may decide that it was thus completely 
broken and as such not worth investigating further). So while use of 
certificates may mitigate this problem, we may not ever know if it mitigates 
all problems SSLv3 has. For example, issues like 3-shake won't be fixed in 
SSLv3. In my opinion, continued use of it for security-critical applications 
qualifies for gross negligence.

Do we really need the repeat of the MD5 signatures story or can we learn on 
our own (as in industry) mistakes?
-- 
Regards,
Hubert Kario

v2.14.0 | Report a Bug | By Email