Re: [TLS] An SCSV to stop TLS fallback.

Douglas Stebila <> Wed, 04 December 2013 23:38 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E0A401ADF66 for <>; Wed, 4 Dec 2013 15:38:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.498
X-Spam-Status: No, score=-3.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id I4x4KnM2QwLa for <>; Wed, 4 Dec 2013 15:38:45 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id C32081ADF59 for <>; Wed, 4 Dec 2013 15:38:43 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Thu, 5 Dec 2013 09:38:38 +1000
Received: from ([]) by ([]) with mapi; Thu, 5 Dec 2013 09:38:12 +1000
From: Douglas Stebila <>
To: "" <>
Date: Thu, 5 Dec 2013 09:36:28 +1000
Thread-Topic: [TLS] An SCSV to stop TLS fallback.
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-US, en-AU
Content-Language: en-CA
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] An SCSV to stop TLS fallback.
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 04 Dec 2013 23:38:48 -0000

Does anyone on the list know of an example website where one can observe a potentially attackable TLS fallback?


From: TLS [] On Behalf Of Marsh Ray []
Sent: December 5, 2013 09:05
To: Adam Langley; Manuel Pégourié-Gonnard
Subject: Re: [TLS] An SCSV to stop TLS fallback.

What percentage of these client fallback operations that actual users browsers are doing in the real world are being triggered for reasons *other* than actual server implementation bugs? I imagine this could be a difficult thing to measure. But I can also imagine the obvious client heuristics (if it fails, try again) could easily be triggered by a busy server or simple packet loss. Couldn't this represent a full 1% of connections, especially now that so many users are on mobile devices?

So if a fallback situation was a slow-loading lousy page experience before, what's it going to be after legitimate servers implement this logic? Will servers actively *refuse* legitimate client's retry connections? If so, isn't this just taking an intermittent slow-failure situation and converting it to an even slower but guaranteed interop failure? If not, what good will downgrade protection logic be?

TLS 1.2 was designed to mitigate some serious potential attacks. BEAST demonstrated these attack vectors could be practical.

We need to recognize ad-hoc client fallback heuristic for what it is: a security vulnerability.

Therefore, clients MUST NOT auto-downgrade.

Therefore, broken servers and middleboxes need to clean up their act or GTFO.

This was always clear to anyone considering it from a protocol security angle. But the strong desire for interoperability and the absence of documented attacks in the 2000's made it hard to argue from principle.

Do we need an RFC a' la 6176 to give security-minded developers an explicit argument from authority?

- Marsh

P.S. I admit to being somewhat skeptical when RFC 6176 was being proposed. But I mentioned it in a meeting the other day and there were literally nods of understanding all around the table. Thanks!

-----Original Message-----
From: TLS [] On Behalf Of Adam Langley
Sent: Wednesday, December 4, 2013 11:20 AM
To: Manuel Pégourié-Gonnard
Subject: Re: [TLS] An SCSV to stop TLS fallback.

On Wed, Dec 4, 2013 at 2:12 PM, Manuel Pégourié-Gonnard <> wrote:
> Unless I'm mistaken, the problem TLS_FALLBACK_SCSV tries to adress is
> not servers that don't implement version negotiation correctly, but
> MITM actively doing a downgrade attack (and faulty middleboxes, which have the same effect).

I think the chain of sadness goes like this:

1) Some servers don't implement version negotiation correctly, or have other bugs that happen to be solved by using SSLv3.
2) Therefore some clients implement fallback
3) Therefore attackers can trigger fallback even with correct servers.

The MITM proxies that also had downgrade bugs caused issues with a Chrome experiment where we removed SSLv3 fallback for Google properties because it looked, to the client, like an attack. But, since it's a MITM proxy, it's an attack that the user has authorised.


TLS mailing list
TLS mailing list