IETF Logo Mail Archive

Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv

Watson Ladd <watsonbladd@gmail.com> Tue, 28 January 2014 20:38 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DCE41A0465 for <tls@ietfa.amsl.com>; Tue, 28 Jan 2014 12:38:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tmlMU9aKVdoW for <tls@ietfa.amsl.com>; Tue, 28 Jan 2014 12:38:31 -0800 (PST)
Received: from mail-wg0-x236.google.com (mail-wg0-x236.google.com [IPv6:2a00:1450:400c:c00::236]) by ietfa.amsl.com (Postfix) with ESMTP id 473FB1A026C for <tls@ietf.org>; Tue, 28 Jan 2014 12:38:31 -0800 (PST)
Received: by mail-wg0-f54.google.com with SMTP id x13so1784500wgg.21 for <tls@ietf.org>; Tue, 28 Jan 2014 12:38:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=OD+zVsxuHrIjO/oqRdnsJQ6ELplhFaPQrtchHfafWZQ=; b=r5KlxMiJ6C4itMAPH7SfjTAQ9oPF4yJCbiYpG8m4d0l2t2t/yPguRCEiPdrL4zbJhL vy79ok6Am5hPNbRuCS//fb5a540EGH8Y2D2lsa3LkrmZYPBlXwAqMYK6cgNRESSjNMA1 uvDmUMo1406Pkoh/K95YyuZhj5D97POaIgbXjypQcIJ/ecAZB4AIT1mFcGQxgfmtsFqe yrUWRt9N3dlQcrNlefOML828rWSyAWsq3QLGU2ReeSJ85JwctsEyj3KlXHuwtmd4qubE EIyTgEvDixs9vo9rK04Kp7be91QmTKdafdNJPB/IMV3Wl+OOevmHkNn6ORe9tjx+iU2V n7Qg==
MIME-Version: 1.0
X-Received: by 10.180.189.169 with SMTP id gj9mr3742821wic.17.1390941508183; Tue, 28 Jan 2014 12:38:28 -0800 (PST)
Received: by 10.194.250.101 with HTTP; Tue, 28 Jan 2014 12:38:28 -0800 (PST)
In-Reply-To: <CAL9PXLyJPi-jJpAR_Zmx84CkhE9ga6jPbr4X8d2xqv5aUwegRw@mail.gmail.com>
References: <CADMpkcJ4viFwzU9u0uP41Niaopja8PZFowjOALVr3VA1vJ7Uow@mail.gmail.com> <20140128001737.D9D581ABC9@ld9781.wdf.sap.corp> <828b043cac0f4b62875d00f31d2f92e3@BL2PR03MB419.namprd03.prod.outlook.com> <CAL9PXLxDWUMUq5rJXCHYaFRqX6rYfczN8gJaBRJa=pbkH4YWSA@mail.gmail.com> <a840133f75d0426898462ccef739861f@BL2PR03MB419.namprd03.prod.outlook.com> <ED6ED7E4-3E0C-41B9-A8B3-16C676BCAFAD@checkpoint.com> <062f690386314652b30aa8247ec18c0c@BL2PR03MB419.namprd03.prod.outlook.com> <CAL9PXLyJPi-jJpAR_Zmx84CkhE9ga6jPbr4X8d2xqv5aUwegRw@mail.gmail.com>
Date: Tue, 28 Jan 2014 12:38:28 -0800
Message-ID: <CACsn0ckEB5yeKg043HbDr7QsU8HDY_b2+ywY_-nkd2EPXM7tBA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Adam Langley <agl@google.com>
Content-Type: text/plain; charset="UTF-8"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2014 20:38:33 -0000

On Tue, Jan 28, 2014 at 12:19 PM, Adam Langley <agl@google.com> wrote:
> On Tue, Jan 28, 2014 at 3:12 PM, Andrei Popov
> <Andrei.Popov@microsoft.com> wrote:
>> Correct, but I'm more concerned about this scenario: suppose a client implements a three-stage fallback: TLS1.2-with-extensions ---> TLS1.0-with-extensions ---> SSLv3.
>> Suppose TLS1.2-with-extensions got a RST from a TLS1.2-supporting server because there is an interoperability problem, or a middle box problem, or a configuration problem, etc.
>> The client is now trying TLS1.0-with-extensions + SCSV. Without the SCSV, the handshake may have succeeded, but with SCSV the TLS connection will fail.
>
> We have pretty good evidence that SCSVs are ok from putting them in
> SSLv3 for renego, no?

No, that isn't the concern Mr. Popov expresses. The concern is that
the TLS 1.2 supporting server thinks it supports TLS 1.2 but actually
doesn't. Then the fallback to TLS 1.0 fails, instead of succeeds,
because it's a fallback that is unnecessary according to the server.
He's exactly correct that putting in this SCSV will cause a connection
failure.

However, this can't be distinguished from a downgrade attack, and I
doubt that servers will have mistaken beliefs about their TLS 1.2
support.

>
> I suppose it's possible that there exist some TLSv1 servers that
> handle the renego extension, but couldn't handle the SCSV, but we have
> deployed new ciphersuites in the past without issue, no? (Except for
> the servers that only look at the lower 8-bits, but we believe that we
> can order the ciphersuites to avoid those problems.)
>
>
> Cheers
>
> AGL
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email