Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS

Tim Hollebeek <tim.hollebeek@digicert.com> Fri, 15 December 2017 19:33 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D330012706D for <tls@ietfa.amsl.com>; Fri, 15 Dec 2017 11:33:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.801
X-Spam-Level:
X-Spam-Status: No, score=-4.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KANPytr4tV2M for <tls@ietfa.amsl.com>; Fri, 15 Dec 2017 11:33:47 -0800 (PST)
Received: from mail1.bemta8.messagelabs.com (mail1.bemta8.messagelabs.com [216.82.243.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BA18126DCA for <tls@ietf.org>; Fri, 15 Dec 2017 11:33:47 -0800 (PST)
Received: from [216.82.242.46] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-6.bemta-8.messagelabs.com id BF/68-03583-A93243A5; Fri, 15 Dec 2017 19:33:46 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WSeUgUYRjG99uZHUfbrWlc823RjumgLBdLq4U IrKD8J7A0gs2O2XbaXdrDdrawW6iQtKILUtM2OoQ0I4TW7DSzRKXLoqDM1ETQddGK8q529puu /37f+7zf+zwz30sTbAulo4Usj+B28naOiiCf6y+Niy+YlmRMOFY01zBwKp8w9N45Sxq+PM9Fy UTK5cuDypTDt0bDUt7nFVGphFFlc5pcWZtV1ro7/VRm2YqsG8PtKBv5l+WicJpkepVQ1zw2F0 XQLHNaCfcbX4ThQy2C0eoqSuqimAR4c69OKbGWMcJ3X1uoTjBTobfpPClxJGOH4vJqEvc44Lq /NTRIy+QiONzlQ9huBrT7KgmJNUwG/Dw3LLuVU3DjQo9KEsKZDXC03htqQswE6G+4psRu0fCu wxtiYLTQ9rKRwhwFXZ9+qHB/BhR/rZHrHLwvH0CYY6HJmydzTRg0n3Jh1sPNkwG5vgq8ra2UF AiYEgR9vm5ZiIPGxgF56DYY/NpAYl4MV7v7VPjCIwJyRt8QWIiBi9dLZWFIBQcH+0K3WcYMZ0 pxvEhGBx9eH0En0OzCf74OsxfB8OmowtBvGg/1BR0krsfD7fvVBObJUBkoknkx5A89pArlNzm T1xaGeQH4H39GFxBdimaJgnun4I5PXKA3uW0Wq8fB2+zx8xIMeocgirxFsPMmUb/F5ahAwS07 oFCgWyhQsr4GTaSVXJTGUzHfyI41ucy7rLxo3eTeYRfEGhRD0xxoRrkkIzveLViErK02e3BVf 8tAqzmtZmFwWVmNmMk7RJsFSw0okR65+25ESXcW+LMJlnS6nIIuWlMrTWKkVusO559Bv9e+Cc XqIjVIoVCw6kzB7bB5/te7UTSNuEiNVjJU25yeP37dwSjKYJQOS6IUxcP/lXTZ6MHcypL65HU rixJbKr7n7+/hZh7f2/+gKvzJxo9q86HeTUk9Zt32t9MvliyfXBabnDMnIWZfGTWjszYjtmXE kJYWsXXPE+bVysJ2X7FjaMrqgfSqb2WV0WsDt52muCX96WPMk5qJV/va2WdrAldeLlXvfnulr jNu+tGZT1sXdR1JXevP4UjRys+LI9wi/wtqdjdB8QMAAA==
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-6.tower-96.messagelabs.com!1513366425!115980343!1
X-Originating-IP: [207.46.163.15]
X-StarScan-Received:
X-StarScan-Version: 9.4.45; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 32364 invoked from network); 15 Dec 2017 19:33:45 -0000
Received: from mail-dm3nam03lp0015.outbound.protection.outlook.com (HELO NAM03-DM3-obe.outbound.protection.outlook.com) (207.46.163.15) by server-6.tower-96.messagelabs.com with AES256-SHA256 encrypted SMTP; 15 Dec 2017 19:33:45 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ZZ7UlUYrtpqGdGi0xgWOqTTPcbB4VuqAnE0xbmJi4Zk=; b=CvfcG01mxSrDtCEMwg7rVZ1omfpA1/ok9Zhta3/MuZ05ZEpmodu4Wc9t6WbmozFjqcPL3tm4ibFP4Wvp0LKIzNyyb4o8nNKa6hE6o/eGS7OPyqm3EmPtVMO/oDPT07EwX7gjRyprVPsb+DfwsTF7FlKCIKTypAasLgVwLfBziw8=
Received: from DM5PR14MB1289.namprd14.prod.outlook.com (10.173.132.19) by DM5PR14MB1292.namprd14.prod.outlook.com (10.173.132.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.302.9; Fri, 15 Dec 2017 19:33:44 +0000
Received: from DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) by DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) with mapi id 15.20.0302.012; Fri, 15 Dec 2017 19:33:44 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>, Ilari Liusvaara <ilariliusvaara@welho.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS
Thread-Index: AQHTdSnZboSBNXzd9E6O2/oU/bBgd6NDc+yAgAAd44CAAARIAIAAATeAgADhAoCAADa3EYAABbkAgAABmYCAAACsgIAABVAAgAAEZ/+AAAJE8IAAB5AAgAAAUyA=
Date: Fri, 15 Dec 2017 19:33:44 +0000
Message-ID: <DM5PR14MB1289D532FD2C60EFA1B02F7A830B0@DM5PR14MB1289.namprd14.prod.outlook.com>
References: <20171215020116.04f9ae15@pc1> <CAAF6GDe79w9XH1GrGvvR-+=uEKfi6GczacUX3Jhy0dL_zW67-Q@mail.gmail.com> <20171215143057.GA17121@LK-Perkele-VII> <MWHPR21MB01897F29048C1B2AB66EA7488C0B0@MWHPR21MB0189.namprd21.prod.outlook.com> <20171215174628.GA17601@LK-Perkele-VII> <CABcZeBOsL0a0xHvVWEus_EY3mUNioaV9fsz89Gt+HeqdHpoyDw@mail.gmail.com> <CACsn0ckYPpp5nD2jj4Zmx=ZJvqWzHW0tmmXo-9JeKL45+pRUqw@mail.gmail.com> <CABcZeBPPozOsTxxJO63RmHwTr56Wucx6OYW=kvvhosRUHR1ctA@mail.gmail.com> <20171215183424.GA17780@LK-Perkele-VII> <MWHPR21MB01893A20A8D0812E880926568C0B0@MWHPR21MB0189.namprd21.prod.outlook.com> <20171215184951.GB17780@LK-Perkele-VII> <DM5PR14MB1289FA656DB8D87DCA0B355F830B0@DM5PR14MB1289.namprd14.prod.outlook.com> <MWHPR21MB0189419E69BD53F735C55FFC8C0B0@MWHPR21MB0189.namprd21.prod.outlook.com>
In-Reply-To: <MWHPR21MB0189419E69BD53F735C55FFC8C0B0@MWHPR21MB0189.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [74.111.107.128]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR14MB1292; 6:PofrdohfCHay0Kz1SYPOTzBhvcRLz2/UgOBORG0G750M81S0BDTU1TpKs012d6/OXa8ktH9hibo+zW1SuZZuNhhV550NlRFvDXEMng/Q5/rBjl0CR5hyRXSJw4FymPepD5qj8jGmfe9Lh3oDMt+2FdrTnN+zLhs02S7z3Yoybuf0x2WWbJBjZpijOR4OqZBM0pW3bmDBBSrURnw0yZBbGjWbiLbIy+WVO8pujzIBcVzzxGwlqqr6Izq/+i0FzXaXSl7+SKKy+t9upMkgyMrHhpmuhez9+h6TTIqZPKowabEzJwVzRItdrLP+MzShxCty182Q5bkZeg1TTWfpeqOywmRcdD8umaX1C3Qmd6plCfU=; 5:3JUVLgPmygpXbdfPFFySBbLZW8kzi55PHJw4jQZR4ZlWUOW0sf+Ll5kxe/8cNKLhc2CWrbX4WqUc3zfmhAKuf5XAfVhJWatTWcZB+H+LvonR0EkryQVrXp+FwPUtsahJOGxE4LoITOY3RbiJN3UIU+23oAmQHvNDPBh0QdsiEWY=; 24:tQRyUvt5cbEIIElfSGLFBCOEM94w++Dj5gz/xIzDihIrR/yikQHGDzg4gKTvOGc4DCyO7hyEt5EzXkTG8PJvr+9wQ2Km11G5xStl5ahFKF0=; 7:p2u8vj53a/0GX45NnG+3oITnHCTqkG1Ynb65XZzbqXI4ux7xaVW8Z8FNn3eol1rf6ISjFp/MCIe3ntJY+e661bYzSKP+Q328r5n5JedNLPltOaXZ0AzhpWM4gK0VV30WZWsXgIdaLNyK94SCKNW+mSuzKRrWEmdeRV/sZFYgvsGrtSJf1m7+3fpdw2uZ6HPhdwThwWp1lma2a9QIxpNy3KEe38tdOG3IEFI+DzM1ABspT3MzxEhU0X2qVitE/PD8
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 5ff57a15-29ef-4340-e2d2-08d543f2c0ff
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(4534020)(4602075)(4603075)(4627115)(201702281549075)(5600026)(4604075)(2017052603307)(49563074); SRVR:DM5PR14MB1292;
x-ms-traffictypediagnostic: DM5PR14MB1292:
x-microsoft-antispam-prvs: <DM5PR14MB12922867A1D8CD4DC14FD71D830B0@DM5PR14MB1292.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040450)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(3231023)(10201501046)(6041248)(2016111802025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123558100)(20161123555025)(20161123564025)(6043046)(6072148)(201708071742011); SRVR:DM5PR14MB1292; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:DM5PR14MB1292;
x-forefront-prvs: 05220145DE
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39850400004)(346002)(366004)(376002)(396003)(13464003)(189003)(199004)(8936002)(7696005)(53936002)(68736007)(9686003)(59450400001)(8676002)(305945005)(2906002)(316002)(3660700001)(81166006)(86362001)(2900100001)(76176011)(74316002)(93886005)(7736002)(66066001)(81156014)(3280700002)(2561002)(110136005)(3846002)(14454004)(33656002)(105586002)(478600001)(99936001)(2950100002)(5660300001)(2421001)(102836003)(6436002)(229853002)(25786009)(45080400002)(97736004)(6116002)(106356001)(8666007)(55016002)(99286004)(77096006)(6506007)(6246003)(4326008)(1511001)(53546011)(29543002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR14MB1292; H:DM5PR14MB1289.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_04AD_01D375A0.EE65EA30"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5ff57a15-29ef-4340-e2d2-08d543f2c0ff
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Dec 2017 19:33:44.1153 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR14MB1292
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/33g76N7tmpavesRzLjiaKNjQXbE>
Subject: Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2017 19:33:52 -0000

Because it's easier for the client to decide what the client understands
than it is for the server to decide what the client understands.  Less
complexity = less failures.  

Note that this is how XP was handled for code signing.  The Authenticode
spec actually made it so if you did things in the right order, XP would only
see the SHA-1 signature, while more recent operating systems would see both
the SHA-1 and SHA-2 signatures, ignore the SHA-1 signature, and use the
SHA-2 signature.  This allowed doubly-signed binaries that worked both on XP
and non-XP systems.  Unfortunately the technical steps to do so weren't
widely publicized, but I know some companies took advantage of it.

However, servers are easier to upgrade than clients, which is why you see
some of the server side support you mention.  I know CloudFlare in
particular helped a lot of people cope with communicating with clients who
had different certificate capabilities.  It isn't a bad thing that both
approaches exist.

-Tim

> -----Original Message-----
> From: Andrei Popov [mailto:Andrei.Popov@microsoft.com]
> Sent: Friday, December 15, 2017 12:25 PM
> To: Tim Hollebeek <tim.hollebeek@digicert.com>;; Ilari Liusvaara
> <ilariliusvaara@welho.com>;
> Cc: tls@ietf.org
> Subject: RE: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in
> general, and what we can do in TLS
> 
> > Ideally, you'd want certificates to be able to have two signatures
> > during the transition period, in order to support clients who have
> > transitioned and those who have not.
> 
> > Hosting multiple certificates and switching based on the client is
> > feasible, but requires some technical wizardry and isn't possible in all
> situations.
> 
> For my understanding, why is the former (double-signed certs, where either
> signature is trusted) better than the latter (multiple certs with
different
> algorithms)?
> The latter is currently supported by some TLS servers.
> 
> Cheers,
> 
> Andrei