IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Manuel Pégourié-Gonnard <mpg@polarssl.org> Thu, 16 October 2014 10:40 UTC

Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 345611ACFE5 for <tls@ietfa.amsl.com>; Thu, 16 Oct 2014 03:40:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.397
X-Spam-Level:
X-Spam-Status: No, score=0.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_EQ_NL=1.545, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4gdXydw1DeWb for <tls@ietfa.amsl.com>; Thu, 16 Oct 2014 03:40:38 -0700 (PDT)
Received: from vps2.offspark.com (vps2.brainspark.nl [141.138.204.106]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D44DB1ACFEF for <tls@ietf.org>; Thu, 16 Oct 2014 03:40:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=polarssl.org; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:CC:To:MIME-Version:From:Date:Message-ID; bh=0DovcG9aH+ZcDV4OZY4pE+xJJMG8TwbsFXI0N8JJnJw=; b=aTUlqKw95SZi98w0K0UfYk2nSNnWkGnHt2faj2Th68E3/kFedziFicSTHbqLrld7QA+hQxWNfeaPTE5i+61ZUn0yI43ZJZbUOB1FpCpx2Z6cR6t1SpFNmqOZMgSmKMIoF7lELxUNcCENDi11MolmHvqEBx0LuwB4kE3eWWhzsmw=;
Received: from thue.elzevir.fr ([88.165.216.11] helo=[192.168.0.124]) by vps2.offspark.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mpg@polarssl.org>) id 1XeiTu-00026c-KM; Thu, 16 Oct 2014 12:40:30 +0200
Message-ID: <543FA0A0.1030205@polarssl.org>
Date: Thu, 16 Oct 2014 12:40:32 +0200
From: Manuel Pégourié-Gonnard <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-Version: 1.0
To: Florian Weimer <fweimer@redhat.com>, Martin Thomson <martin.thomson@gmail.com>, Bodo Moeller <bmoeller@acm.org>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <5438CFEA.7000401@brainhub.org> <543E9435.8000905@redhat.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D39ECE9C9@USMBX1.msg.corp.akamai.com> <543E9C9F.5050104@redhat.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D39ECE9D5@USMBX1.msg.corp.akamai.com> <543E9FFA.5030102@redhat.com> <CADMpkcLnOh3HGD+urWuo6fPfkX4WfGhwckE0jg5jS2KqD2RuMQ@mail.gmail.com> <CABkgnnWuCwOGBXG2RdetwPFn4KtVPygSBWG5qkme1mvNst6n+A@mail.gmail.com> <543F9893.806@redhat.com>
In-Reply-To: <543F9893.806@redhat.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-SA-Exim-Connect-IP: 88.165.216.11
X-SA-Exim-Mail-From: mpg@polarssl.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.offspark.com)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/2PJ60jVKrTl46yrTWm0Po7Iyy-k
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Oct 2014 10:40:39 -0000

On 16/10/2014 12:06, Florian Weimer wrote:
> Interesting things will start to happen once there is TLS 1.3. 
> TLS_FALLBACK_SCSV could really complicate its deployment.
> 
I'm afraid I don't understand which interesting things you're referring to.
Could you please elaborate on that?

I can think of the following scenarios (assuming the client supports 1.3 and
FALLBACK_SCSV):

1. The server also supports 1.3, and no middleware is blocking it -> all good.

2. The server also supports 1.3, but some middleware/attacker is blocking it.
The client retries with 1.2+FALLBACK_SCSV.
	2a. The server also supports FALLBACK_SCSV. The MitM downgrade is avoided.
That's a feature.
	2b. The server doesn't support FALLBACK_SCSV. The MitM downgrade succeeds. Too bad.

3. The server doesn't support 1.3 but is version-tolerant (and so is all
middleware in path). 1.2 is negotiated using the intended mechanism -> all good.

4. The server doesn't support 1.3 but it (or some middleware/attacker) is
1.3-version intolerant. The client retries with 1.2+FALLBACK_SCSV. Regardless of
whether the server supports FALLBACK_SCSV, the handshake succeeds because 1.2 is
indeed the highest version supported by the server. (Assuming it's 1.2 for the
sake of simplicity, but it should work the same way for lower versions.)

What am I missing?

Manuel.

v2.23.0 | Report a Bug | By Email