IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Florian Weimer <fweimer@redhat.com> Thu, 16 October 2014 10:06 UTC

Return-Path: <fweimer@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CA1F1ACEFF for <tls@ietfa.amsl.com>; Thu, 16 Oct 2014 03:06:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id udfAmgRukobx for <tls@ietfa.amsl.com>; Thu, 16 Oct 2014 03:06:18 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C2071ACEFE for <tls@ietf.org>; Thu, 16 Oct 2014 03:06:18 -0700 (PDT)
Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s9GA6EN4018008 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 16 Oct 2014 06:06:14 -0400
Received: from oldenburg.str.redhat.com (oldenburg.str.redhat.com [10.33.200.60]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s9GA6Cpa030395 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 16 Oct 2014 06:06:13 -0400
Message-ID: <543F9893.806@redhat.com>
Date: Thu, 16 Oct 2014 12:06:11 +0200
From: Florian Weimer <fweimer@redhat.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: Martin Thomson <martin.thomson@gmail.com>, Bodo Moeller <bmoeller@acm.org>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <5438CFEA.7000401@brainhub.org> <543E9435.8000905@redhat.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D39ECE9C9@USMBX1.msg.corp.akamai.com> <543E9C9F.5050104@redhat.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D39ECE9D5@USMBX1.msg.corp.akamai.com> <543E9FFA.5030102@redhat.com> <CADMpkcLnOh3HGD+urWuo6fPfkX4WfGhwckE0jg5jS2KqD2RuMQ@mail.gmail.com> <CABkgnnWuCwOGBXG2RdetwPFn4KtVPygSBWG5qkme1mvNst6n+A@mail.gmail.com>
In-Reply-To: <CABkgnnWuCwOGBXG2RdetwPFn4KtVPygSBWG5qkme1mvNst6n+A@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/2g315qVhEgMhlsPdxMcLli7PXtk
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Oct 2014 10:06:21 -0000

On 10/15/2014 08:24 PM, Martin Thomson wrote:
> On 15 October 2014 11:09, Bodo Moeller <bmoeller@acm.org> wrote:
>> Preventing such attacks, of course, is what we consider a feature. Google
>> servers support the SCSV, and so does the Chrome browser; so we have the
>> required real-life experience indicating that deploying the SCSV is
>> practical.
>
> And I'd like to add that the SCSV has been in Firefox Nightly for a
> while now.  We got some early reports of problems because of the way
> we were reacting to spurious fallbacks, but that has been addressed
> and I've not seen any subsequent reports of problems.

Interesting things will start to happen once there is TLS 1.3. 
TLS_FALLBACK_SCSV could really complicate its deployment.

> This is a strictly good feature for Firefox users.  The alternative
> (disable insecure version intolerant fallback entirely) is completely
> untenable for us.

Why do you think that?  Is this observation based on data tainted by the 
spurious downgrade bugs you had?  Do you know if the downgrades are due 
to server problems or interception by law enforcement?  (I suspect the 
latter would magically go away if you got rid of the fallback code.)

I just find it difficult to reconcile your decision to keep the fallback 
with the announcement to disable SSL 3.0 by default.  Surely the latter 
change is going to bite many users.  (I'm aware that fallback can still 
happen from one TLS version to another, that's not what puzzles me.)

-- 
Florian Weimer / Red Hat Product Security

v2.23.0 | Report a Bug | By Email