Re: [TLS] Rethink TLS 1.3

Nico Williams <> Mon, 24 November 2014 17:29 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4145E1A6FFF for <>; Mon, 24 Nov 2014 09:29:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Jq-80DyLEBZ4 for <>; Mon, 24 Nov 2014 09:29:45 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 55BDB1A6FF2 for <>; Mon, 24 Nov 2014 09:29:45 -0800 (PST)
Received: from (localhost []) by (Postfix) with ESMTP id 37FFC1E071; Mon, 24 Nov 2014 09:29:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to;; bh=em0o0EyE5g0eFX wQKV8zU92UbRg=; b=yNFAFIHoonXSm5lfxVZoj8ELkfjrQ0qpDfBJEKmi7NUpvm 8mxs9LnyU1nnHGmxWK9n1umGsP3V89WFMfLIh2S/c8xH8KXaN1k4prMHDnHV4CuC A7c/Yrcyma+yURYf+zoqhDfjSGFQ2s0MYT5ZiG2tbne34mKTeLH7klHKfAwN0=
Received: from localhost ( []) (Authenticated sender: by (Postfix) with ESMTPA id D9B3E1E05D; Mon, 24 Nov 2014 09:29:44 -0800 (PST)
Date: Mon, 24 Nov 2014 11:29:44 -0600
From: Nico Williams <>
To: Martin Rex <>
Message-ID: <20141124172942.GK3200@localhost>
References: <20141124170257.GJ3200@localhost> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: "" <>
Subject: Re: [TLS] Rethink TLS 1.3
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 24 Nov 2014 17:29:46 -0000

On Mon, Nov 24, 2014 at 06:13:20PM +0100, Martin Rex wrote:
> Nico Williams wrote:
> > Martin Rex wrote:
> >> Nope.  BEAST, CRIME and Poodle are pretty boring demonstrations of the
> >> ridiculous insecurity of WebBrowsers in their default configuration.
> > 
> > Yes, they were that too.  And by then we knew well about adaptive
> > plaintext attacks.  Still, they also were demonstrations that the
> > network has to be assumed to be under control of the adversary, and IMO
> > they were dramatic at that.  If anyone still doubted the adversary's
> > control of the network before BEAST, no one does now.
> 5 years ago there was an exhausting discussion in this WG about how to
> fix the TLS renegotiation issue.  The problem had been considered so huge,
> that a secret group (Project Mogul) had been setup to design (and have
> patches shipped) before the issue was publicly described.

Renego, incidentally, was a feature of TLS that was originally not part
of the spec, but grew ad-hoc.  This is one of the ways in which we
failed SSL and its users: we didn't analyze the protocol as-used.

> BEAST and Poodle require *MORE* control over the endpoint as a prerequisite
> for the attack than what a successful TLS renegotiation attack will provide.

So what?

> Please stop claiming that providing so much control to an attacker
> as something that is (or should be) normal, rather than considering
> providing so much control to attackers as what it really is:
> a huge and gaping vulnerability in Web-Browsers and in the
> (lack of a) Web Security Model.

I'm claiming that we're not in a position in this WG to fix the web
security model to use something better than cookies and other bearer
tokens.  I wish we were, but we're clealy not.  There's proof of this in
the pudding.

There were several efforts in the last few years, in the WEBSEC and
HTTPauth WGs to do something about that, and those efforts failed.
HTTPbis is very active, but they are not doing something about this
either (unless that's changed recently; I don't follow HTTPbis closely).

Many things were tried, including some that were -IMO- pretty good
ideas, like origin-bound-cookies (which was good in large part because
it implied minimal or no real changes to HTTP stacks).

That means that TLS 1.3 simply MUST be resistant to various cookie
recovery attacks.  Those attacks have to be active attacks (therefore
foreseen by the Internet threat model) of the adaptive chosen plaintext
or similar varieties.  Fortunately we know how to beat them, therefore
we don't have to go fix the web security model *even though* we all
would like to also do that anyways.

BTW, I'd like to be wrong about this.  I'd like us to get so incensed
over web cookies that we get that part of the web security model fixed,
full stop!

Having attempted -and failed- to provide an alternative to web cookies
myself, I'm wondering how else we might fix them...  Dirk Balfanz's
latest proposal is OK with me, but I am so traumatized (in a way) by
BEAST that I'm inclined to accept just about any improvements as to web
cookies, especially ones where big players will do the work to get
started on deployment.