Re: [TLS] Suspicious behaviour of TLS server implementations

Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 23 September 2016 08:15 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D14AC12BA63 for <tls@ietfa.amsl.com>; Fri, 23 Sep 2016 01:15:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.516
X-Spam-Level:
X-Spam-Status: No, score=-6.516 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.316] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5ghm8599sUYD for <tls@ietfa.amsl.com>; Fri, 23 Sep 2016 01:14:58 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DBDA12B24E for <tls@ietf.org>; Fri, 23 Sep 2016 01:14:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1474618498; x=1506154498; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=BAMuIYW//yu9izFijrhJndnjbsGgk41FMP9zv0O7HRE=; b=Fkc5sZ9z/k8e6Io0gb0hkqJvTDooMAGswUW68el3ypH5gzm91N9Jijd9 pXtANjy3Q1p/bReNi3WbsoLe/CVCLMeE5rvLgbnf2n52WHw4CxgRnedhO CxBxdHhHsnwTC5QQaz0O6RtehMQ+7Vxxe51G0rfI4cHbVWQdezSmTp9O2 TRRp7zVxqgTvj+0hRNEraQZgSDpHXBVQYnimysXqKIhm2a62er3d+08Oi lUau2InbYfV0cmvFHrruM8Uh6GfkfErvnvnyv8W3v7dHfgVJEufDJAdyp k+sKyV/2nQ+3swL5jQKagKQIXy3U4f3gG5CLInWIV0un06ADsE7OnWZcl g==;
X-IronPort-AV: E=Sophos;i="5.30,381,1470657600"; d="scan'208";a="107137323"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.4 - Outgoing - Outgoing
Received: from uxcn13-ogg-c.uoa.auckland.ac.nz ([10.6.2.4]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 23 Sep 2016 20:14:56 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-c.UoA.auckland.ac.nz (10.6.2.24) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Fri, 23 Sep 2016 20:14:56 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1178.000; Fri, 23 Sep 2016 20:14:56 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Yoav Nir <ynir.ietf@gmail.com>
Thread-Topic: [TLS] Suspicious behaviour of TLS server implementations
Thread-Index: AQHSCqXVmMdwMkXxhEmPq8Svce2cg6Bwf1GAgAhiD77//1nRAIAKl8wAgAABIICAACcigIABLwcE//++HwCAASHctf//ThCAAE7uK0o=
Date: Fri, 23 Sep 2016 08:14:55 +0000
Message-ID: <1474618486862.84703@cs.auckland.ac.nz>
References: <57D2E218020000AC0011B17E@gwia2.rz.hs-offenburg.de> <20160909152901.9008C1A552@ld9781.wdf.sap.corp> <1473853106532.3256@cs.auckland.ac.nz> <57D96E34020000AC0011B73F@gwia2.rz.hs-offenburg.de> <57E25106020000AC0011BF3A@gwia2.rz.hs-offenburg.de> <CABkgnnX7X+21wjChxkW-uhd8WXAMyp5f1F74H5ja=1mui4POiQ@mail.gmail.com> <57E272CB020000AC0011BF63@gwia2.rz.hs-offenburg.de> <1474473207998.35647@cs.auckland.ac.nz> <CABkgnnWUwPeSeLBO8OyvKmb6MBBfNxPWEXw59_Kzkuby-WqDNQ@mail.gmail.com> <1474521100084.53938@cs.auckland.ac.nz>, <841586B2-1E78-403F-BF4B-214AFB55CFCA@gmail.com>
In-Reply-To: <841586B2-1E78-403F-BF4B-214AFB55CFCA@gmail.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/28JO6kHNWIKlUNHaQc3_TSn85cw>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Suspicious behaviour of TLS server implementations
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Sep 2016 08:15:03 -0000

Yoav Nir <ynir.ietf@gmail.com>; writes:

>But if at some point all websites use HTTP-whatever-the-current-version-is
>then maybe browsers can remove support for HTTP/1.1 and then your
>embedded/SCADA/IoT devices won’t give us that rude shock.

Since HTTP/2 pretty much guarantees that SCADA/IoT/etc will keep using HTTP
1.1 forever, browsers are going to have to keep supporting both versions
forever.  Either that or there'll be custom forks of browsers sold as "SCADA
administration clients" or something similar.

>I honestly don’t think that having two protocols for these two radically
>different use cases is a bad outcome.

Neither do I.  The problem is that we're supposed to pretend that HTTP 1.1
will go away and everything will only talk HTTP/2, rather than accepting that
both will be with us for a long time, if not forever.

Peter.