Re: [TLS] SCSVs and SSLv3 fallback

Trevor Perrin <trevp@trevp.net> Mon, 08 April 2013 18:35 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F2C021F8E63 for <tls@ietfa.amsl.com>; Mon, 8 Apr 2013 11:35:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.426
X-Spam-Level:
X-Spam-Status: No, score=-0.426 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VCDFPOJnylcj for <tls@ietfa.amsl.com>; Mon, 8 Apr 2013 11:35:01 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) by ietfa.amsl.com (Postfix) with ESMTP id 17CF921F8783 for <tls@ietf.org>; Mon, 8 Apr 2013 11:35:00 -0700 (PDT)
Received: by mail-wi0-f169.google.com with SMTP id c10so4175305wiw.2 for <tls@ietf.org>; Mon, 08 Apr 2013 11:35:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=LpCp1OnzwGDC/1xQKyp2NmX5+ajmmgrn/qsW/N9ZmqQ=; b=I9AuBbZU+dQQiKkUGv4jakKoK3NtaCtdFQrT/Yi0lBKvd2cCDaRoCGA7NEm5RdvOMm VWkRTjJhAQYrIWYTsy60x9AdNJ3pWSCB4sihHmOmJqAC1/kymza72s0iENIdiy1BpVM5 AD/4up7ePa30Dweh5YhqjkdDKnYllDqWxgg5Xtz1YF1jBTpa2Ozmm4cYJK4paKYeaMC1 BiwrlPT7eWx1imY6MyJBoEAq9o4eZkZ8UfKvjsGZLp4HUbC3KXu7pp7/Mi3K85iP1DmE J2DjQy+jCFr3n9f68XX9wAlzL9S9h7qNMCK5tMA7o+tgmu5o39QPIpoUB/rOQTED+SC0 1qFg==
MIME-Version: 1.0
X-Received: by 10.194.104.168 with SMTP id gf8mr32987274wjb.58.1365446099653; Mon, 08 Apr 2013 11:34:59 -0700 (PDT)
Received: by 10.217.119.134 with HTTP; Mon, 8 Apr 2013 11:34:59 -0700 (PDT)
X-Originating-IP: [173.164.206.245]
In-Reply-To: <op.wu4u97w03dfyax@killashandra.invalid.invalid>
References: <CAGZ8ZG0i4-ZDPu=O1+Qy1DJ8oV80_eMz5J9NZrn2UC1-zYu4Sw@mail.gmail.com> <op.wu1f2u2n3dfyax@killashandra.invalid.invalid> <CAGZ8ZG1JzgnCNqfPueKr3wrvMzZKUi7mfvcAdRc-NnCDr33aLg@mail.gmail.com> <515F428E.2010900@gnutls.org> <CAGZ8ZG2OqLz8NymWzR0WNWsHz7qHLA+8eq95WFTLVFGaTK=RCA@mail.gmail.com> <D4CC5248-B1F1-498E-8058-5E17BADB3CE6@vpnc.org> <CAGZ8ZG2uvKs8-Sn9bvQyaP9t_E3BhkZFoi7Sq9wbxaHNpf_NDg@mail.gmail.com> <op.wu3cctbc3dfyax@killashandra.invalid.invalid> <CAGZ8ZG3H6wPnLZE3CkBGHMiMXvdA-VBM911t+tzPqW5ggJr2PA@mail.gmail.com> <op.wu4b9sxq3dfyax@killashandra.invalid.invalid> <CAGZ8ZG2yVYPkOFFvSKF0Q18CREHtzfeeTdZpi0Cxhi-OQBr8nA@mail.gmail.com> <op.wu4u97w03dfyax@killashandra.invalid.invalid>
Date: Mon, 8 Apr 2013 11:34:59 -0700
Message-ID: <CAGZ8ZG1NW5SHHfyjFnQNvbNzb4KgL-7W+bZHAXERgrbkoTZa9g@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: "Yngve N. Pettersen" <yngve@spec-work.net>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQkhrda5sRWt+irTUzn4J/02l/vORfcykmuXp2koTB6ooB5+q59ihYIYnihRynEgYzYCS7oW
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] SCSVs and SSLv3 fallback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2013 18:35:02 -0000

Hi Yngve,

Thanks for the reference to your rollback prevention draft [1].  I've
also seen the Eric Rescorla and Adam Langley proposals [2,3].

These all seem practical ways to enable a TLS-capable party suffering
an SSLv3 fallback to detect that the other party is TLS-capable.

I'd love to see any of them deployed, so such connections could be
rejected.  Browser makers could aso preload their browser with a list
of TLS-capable sites (such as their own), and disable SSLv3 fallback
for them.

Hopefully these actions would force TLS-intolerant middleboxes to be
replaced, so browsers could stop having to work-around them and this
problem would disappear.


However!  Until this happens, I  think new TLS enhancements must
unfortunately try to be compatible with browser workaround behavior.

So I'm proposing TACK (and similar proposals) could make use of SSLv3
SCSVS in a narrowly-scoped context:
 - Only in case of SSLv3 fallback
 - Only when additional data is required from the server or the
connection will fail

In the long-term, if TLS-intolerant middleboxes can be eliminated to
the point that browsers *don't* need to support them, this case will
cease to exist.  At that point this mechanism will be unused and
unneeded.

As you and Nikos have pointed out, there is no guarantee that this
mechanism will always work.  However if deployed, we could gather
statistics on it.


Anyways, I'd love to hear a better proposal for handling this
difficult and unfortunate case.  But it's seeming like the best option
for TACK (which is my immediate concern) would be to specify an SCSV
mechanism.

Does that seem reasonable?


Trevor


[1] http://datatracker.ietf.org/doc/draft-pettersen-tls-version-rollback-removal/
[2] http://www.ietf.org/mail-archive/web/tls/current/msg08099.html
[3] http://www.ietf.org/mail-archive/web/tls/current/msg08861.html


On Sat, Apr 6, 2013 at 12:04 PM, Yngve N. Pettersen <yngve@spec-work.net> wrote:
> On Sat, 06 Apr 2013 18:59:06 +0200, Trevor Perrin <trevp@trevp.net> wrote:
>
>> On Sat, Apr 6, 2013 at 5:14 AM, Yngve N. Pettersen <yngve@spec-work.net>
>> wrote:
>>>
>>> On Sat, 06 Apr 2013 06:41:33 +0200, Trevor Perrin <trevp@trevp.net>
>>> wrote:
>>>>
>>>>
>>>> Suppose the SCSV is only allowed in the specific case of an SSLv3
>>>> fallback where an extension response is required or the connection
>>>> will fail (due to a requirement for TACK, CT, or OCSP).
>>>>
>>>> In this case, it can't break anything because the connection is
>>>> already going to be broken.  It's not guaranteed to work, but there's
>>>> evidence it might.
>>>>
>>>> Does that address this concern?
>>>
>>>
>>>
>>> No, it does not.
>>
>> [...]
>>>
>>> we do not at present know if the SCSV
>>> variant will work in all cases.
>>
>> [...]
>>>
>>> So, using an SCSV in the SSL v3 handshake do risk breaking a handshake
>>> that
>>> would otherwise have completed.
>>
>>
>> No, you missed my point.
>>
>> I was proposing using SCSVs only in the case that an SSLv3 fallback is
>> necessary, and the browser *REQUIRES* some data from the server (TACK,
>> CT, OCSP), or the browser will refuse the connection.
>>
>> Example:  Suppose a browser has an active TACK pin for a domain, but
>> sending a TLS ClientHello to that domain results in a TCP reset.
>>
>> Since the TACK pin exists, the browser can assume it is not contacting
>> a TLS-intolerant server.
>
>
> In which case the client knows what the highest supported version, and the
> extension tolerance, for the server, as you say.
>
> In any such case the client should IMNSHO assume that it is being subjected
> to a Man In the Middle attack, using a version rollback attack, and abort
> the connection. The client should in such a situation not permit itself to
> downgrade the security of the connection, which includes _not_ attempting to
> set up the connection using SSL v3, or any TLS version lower than what was
> used the last time it had a successful connection.
>
> That is BTW, the principle embedded in my version rollback removal draft
> <http://datatracker.ietf.org/doc/draft-pettersen-tls-version-rollback-removal/>,
> which uses the server's support of the Renego extension as a proxy
> indication to determine full version and extension tolerance, and then use
> that information to assume that any failure to negotiate a connection, when
> signaling the client's highest supported version with full extension support
> in the handshake, means that the connection is being subjected to a version
> rollback attack, and terminate the connection attempt rather than roll back
> to an older version.
>
>
>> But a TLS-intolerant middlebox seems like a
>> possibility (though we still need more data on prevalence).  I believe
>> current browsers would want to try an SSLv3 fallback in this case, to
>> attempt to work around the interference.
>>
>> However!  SSLv3 fallback is pointless here unless the browser has some
>> chance of signalling that it requires a tack, and receiving it.
>>
>> I am proposing giving this a chance of working, by using the same SCSV
>> / ServerHello Extension idiom that has worked for RFC 5746.
>>
>> Of course, this might not work for any specific middlebox!  But if the
>> middlebox allows unknown ciphersuites and data at the end of the SSL
>> ServerHello, then it will.  And if the middlebox has been patched to
>> whitelist the specific 5746 SCSV and ServerHello extension, that
>> implies it could be upgraded for new uses of this idiom as well.
>
>
> It could be that they have been patched, if there was a problem, but the
> Renego issue was a high profile security issue, and its solution was one
> that was being deployed in all clients within a very short period of time.
> Failure to patch any troublesome middleboxes would have caused severe
> problems for users.
>
> I doubt any such incentive to patch will be present for most other
> extensions of TLS, particularly if the usage of the SCSV depends on the
> server being known to support the new feature.
>
> In other words: If there is a problem in this area, you should not assume
> that it will be quickly fixed, at least not before general server support is
> past 50% or an even higher percentage of high traffic sites use it, which
> might take several years to be achieved.
>
>
> --
> Sincerely,
> Yngve N. Pettersen
>
> Using Opera's mail client: http://www.opera.com/mail/
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls