IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Adam Langley <agl@imperialviolet.org> Fri, 26 September 2014 18:05 UTC

Return-Path: <alangley@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30D5B1A6F90 for <tls@ietfa.amsl.com>; Fri, 26 Sep 2014 11:05:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8wDKnTkwAN4v for <tls@ietfa.amsl.com>; Fri, 26 Sep 2014 11:05:23 -0700 (PDT)
Received: from mail-lb0-x231.google.com (mail-lb0-x231.google.com [IPv6:2a00:1450:4010:c04::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 942B51A6F83 for <tls@ietf.org>; Fri, 26 Sep 2014 11:05:22 -0700 (PDT)
Received: by mail-lb0-f177.google.com with SMTP id z12so14582488lbi.8 for <tls@ietf.org>; Fri, 26 Sep 2014 11:05:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=ZLTt+Fn2FGsuWS2lAEBM6ajmnxjjt+J8+V/B2B1IV/4=; b=Ul1qPcat8n6RzuD3ikOtNpfvvnJ4I8ludZpxrARo42HlJ5gRkc0d7N6cZYwReOe+YD sgr7Q0zC32+aUAHFvxc8PR9ZPIktjlzHEa+PceygfCFBMy0z0zIdzVKHV9j6nKauAGWf mg4uHoaSVbKpmaiu6LlFB+AC7cj6MWUpiErWs7yx4jI3ZW26H96tHlYIaNLPgp2UwmLj oKZcmP7f665maTDfJP80vf5lYTK79S4PytTtmAD1rwGB66gInduSDDYD7sPMBmwa3sSL R32wJ03bwALQmL59LndWy36Z1Ne1i+xRLd1RIktv0yVz+r3ndxbCONFwoBntkH55ru+P 3k6A==
MIME-Version: 1.0
X-Received: by 10.112.142.33 with SMTP id rt1mr20633579lbb.69.1411754720449; Fri, 26 Sep 2014 11:05:20 -0700 (PDT)
Sender: alangley@gmail.com
Received: by 10.112.241.103 with HTTP; Fri, 26 Sep 2014 11:05:20 -0700 (PDT)
In-Reply-To: <e2ae0847d4ef49c48fe972adead9bbcc@BL2PR03MB419.namprd03.prod.outlook.com>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <e2ae0847d4ef49c48fe972adead9bbcc@BL2PR03MB419.namprd03.prod.outlook.com>
Date: Fri, 26 Sep 2014 11:05:20 -0700
X-Google-Sender-Auth: G0fFuz2I8dSyyY-uRSsi5kWKW5k
Message-ID: <CAMfhd9UQ1wHFMJpLcxX6o3YDcLn_Az_vy7PfB9QUwyjHrrPaJQ@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/46LrLm1SAYPCNvYWbQdxl249X2U
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Sep 2014 18:05:24 -0000

On Fri, Sep 26, 2014 at 10:44 AM, Andrei Popov
<Andrei.Popov@microsoft.com> wrote:
> This I-D currently forces clients to do sequential fallbacks, without skipping versions: TLS1.3->TLS1.2->TLS1.1->TLS1.0 will work, but e.g. TLS1.3->TLS1.2->TLS1.0 won't. Clients may want to skip protocol versions in the fallback sequence to reduce latency. Clients may also need to disable arbitrary protocol versions for security reasons.
>
> I see two ways to fix this in the draft:
> 1. Use a TLS extension instead of an SCSV. In the extension, the client could indicate the previously attempted protocol version. The problem with this is that SSL3 ClientHellos are not supposed to have extensions, but we'd like to secure fallbacks to SSL3.
> 2. Use one SCSV value per TLS & SSL protocol version. The client includes the SCSV indicating the previously attempted protocol version. The drawback here is that this creates multiple SCSVs:).
>
> If this problem is not solved, then clients will have no choice but to avoid sending the SCSV when skipping protocol versions, e.g.: TLS1.3(no SCSV)->TLS1.2(with SCSV)->TLS1.0(no SCSV). Which (at least partially) defeats the purpose of the I-D.

We've had the design of an SCSV-per-version before and it didn't
really go anywhere. (There is, at least, ekr's draft[1].)

Yes, you have to step down every version. But stepping down is a good
idea because you want to lose as few features as possible. If you drop
right down to SSLv3 then you loose ECDHE and so on.

It's more latency, but only for the case of very old, broken servers. So be it.

[1] https://github.com/ekr/ietf-drafts/blob/master/draft-rescorla-tls-version-cs.txt


Cheers

AGL

-- 
Adam Langley agl@imperialviolet.org https://www.imperialviolet.org

v2.23.0 | Report a Bug | By Email