Re: [TLS] An SCSV to stop TLS fallback.
Douglas Stebila <stebila@qut.edu.au> Wed, 04 December 2013 23:38 UTC
Return-Path: <stebila@qut.edu.au>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0A401ADF66 for <tls@ietfa.amsl.com>; Wed, 4 Dec 2013 15:38:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.498
X-Spam-Level:
X-Spam-Status: No, score=-3.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I4x4KnM2QwLa for <tls@ietfa.amsl.com>; Wed, 4 Dec 2013 15:38:45 -0800 (PST)
Received: from QUTEXEDGE05.qut.edu.au (qutexedge05.qut.edu.au [131.181.191.22]) by ietfa.amsl.com (Postfix) with ESMTP id C32081ADF59 for <tls@ietf.org>; Wed, 4 Dec 2013 15:38:43 -0800 (PST)
Received: from QUTEXHUB04.qut.edu.au (131.181.186.100) by qutexedge05.qut.edu.au (131.181.191.22) with Microsoft SMTP Server (TLS) id 14.2.247.3; Thu, 5 Dec 2013 09:38:38 +1000
Received: from QUTEXMBX01.qut.edu.au ([131.181.107.108]) by QUTEXHUB04.qut.edu.au ([131.181.186.100]) with mapi; Thu, 5 Dec 2013 09:38:12 +1000
From: Douglas Stebila <stebila@qut.edu.au>
To: "tls@ietf.org" <tls@ietf.org>
Date: Thu, 05 Dec 2013 09:36:28 +1000
Thread-Topic: [TLS] An SCSV to stop TLS fallback.
Thread-Index: AQHO6jYL3OWisNV4bUWeT9bwHT1KGJo2nY0AgAAA2oCAABDBgIABFMQAgAEyeoCAAExnAIABUZeAgAjIOYCAAHtygIAAmWiAgAADqYCAAAINgIAANHGAgAATRUE=
Message-ID: <A2F79DCABB3A9F449B2EAA39BA9DB726B68DED@QUTEXMBX01.qut.edu.au>
References: <CAL9PXLzWPY5o2SeV=kUPWxznkw+3cmpbMpYifCebfqd48VW9UA@mail.gmail.com> <CACsn0ckuupJaNKXGjP63LfZiDsV5FLOqfk902O9i1oheqtAAhA@mail.gmail.com> <CAL9PXLxueY_k0XWgTrqVxqXDgvCRhAW5UEa8YjU9_rnuZ6otTA@mail.gmail.com> <CAL2p+8TXJVmnb-v3xH6uzW+rpZ+v8J65TjO32__O3ZofQiwSig@mail.gmail.com> <CAL9PXLwKxF14CUNmN=-P6mhcr+xcGw0_Aaq7amdBXZKUsrKsKA@mail.gmail.com> <CADMpkcLRNmmoMOpJ9QVFPMEbpSyu39afipWUv4Du-assHoC1rw@mail.gmail.com> <CAL9PXLx0+bYn_KXKhvFz=D_jXfctdVihaXnj=SqB6EeEqRLOSg@mail.gmail.com> <CADMpkcKvXxHwj+Rj_j8qF84aEbWJiBiXnk9t1qfh7NychraZcQ@mail.gmail.com> <CALTJjxEDXsmdzY4+OH2AFcYfMW5zY=V4PzQK3hqB1WrqjRJB+g@mail.gmail.com> <CADMpkcJO8xZ41DDnofPinm2SMkhONW7w+cODGwnVpJtB5o8OqQ@mail.gmail.com> <CALTJjxGTmSPRNWfbRrpkFQb3nBwY63fUros+4fLsXjum=q3urA@mail.gmail.com> <529F7E9D.80302@elzevir.fr> <CAL9PXLwVQ=GmZXGrh4+VEd-u1dhhvThKHfVf0qRShcR+LdExTQ@mail.gmail.com>, <f30ced5319a9451080562a1d2d8004f8@BY2PR03MB074.namprd03.prod.outlook.com>
In-Reply-To: <f30ced5319a9451080562a1d2d8004f8@BY2PR03MB074.namprd03.prod.outlook.com>
Accept-Language: en-US, en-AU
Content-Language: en-CA
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] An SCSV to stop TLS fallback.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Dec 2013 23:38:48 -0000
Does anyone on the list know of an example website where one can observe a potentially attackable TLS fallback? Douglas ________________________________________ From: TLS [tls-bounces@ietf.org] On Behalf Of Marsh Ray [maray@microsoft.com] Sent: December 5, 2013 09:05 To: Adam Langley; Manuel Pégourié-Gonnard Cc: tls@ietf.org Subject: Re: [TLS] An SCSV to stop TLS fallback. What percentage of these client fallback operations that actual users browsers are doing in the real world are being triggered for reasons *other* than actual server implementation bugs? I imagine this could be a difficult thing to measure. But I can also imagine the obvious client heuristics (if it fails, try again) could easily be triggered by a busy server or simple packet loss. Couldn't this represent a full 1% of connections, especially now that so many users are on mobile devices? So if a fallback situation was a slow-loading lousy page experience before, what's it going to be after legitimate servers implement this logic? Will servers actively *refuse* legitimate client's retry connections? If so, isn't this just taking an intermittent slow-failure situation and converting it to an even slower but guaranteed interop failure? If not, what good will downgrade protection logic be? TLS 1.2 was designed to mitigate some serious potential attacks. BEAST demonstrated these attack vectors could be practical. We need to recognize ad-hoc client fallback heuristic for what it is: a security vulnerability. Therefore, clients MUST NOT auto-downgrade. Therefore, broken servers and middleboxes need to clean up their act or GTFO. This was always clear to anyone considering it from a protocol security angle. But the strong desire for interoperability and the absence of documented attacks in the 2000's made it hard to argue from principle. Do we need an RFC a' la 6176 to give security-minded developers an explicit argument from authority? - Marsh P.S. I admit to being somewhat skeptical when RFC 6176 was being proposed. But I mentioned it in a meeting the other day and there were literally nods of understanding all around the table. Thanks! -----Original Message----- From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Adam Langley Sent: Wednesday, December 4, 2013 11:20 AM To: Manuel Pégourié-Gonnard Cc: tls@ietf.org Subject: Re: [TLS] An SCSV to stop TLS fallback. On Wed, Dec 4, 2013 at 2:12 PM, Manuel Pégourié-Gonnard <mpg@elzevir.fr> wrote: > Unless I'm mistaken, the problem TLS_FALLBACK_SCSV tries to adress is > not servers that don't implement version negotiation correctly, but > MITM actively doing a downgrade attack (and faulty middleboxes, which have the same effect). I think the chain of sadness goes like this: 1) Some servers don't implement version negotiation correctly, or have other bugs that happen to be solved by using SSLv3. 2) Therefore some clients implement fallback 3) Therefore attackers can trigger fallback even with correct servers. The MITM proxies that also had downgrade bugs caused issues with a Chrome experiment where we removed SSLv3 fallback for Google properties because it looked, to the client, like an attack. But, since it's a MITM proxy, it's an attack that the user has authorised. Cheers AGL _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Andy Wilson
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Trevor Perrin
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Trevor Perrin
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Brian Smith
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Jack Lloyd
- Re: [TLS] An SCSV to stop TLS fallback. Manger, James H
- Re: [TLS] An SCSV to stop TLS fallback. Wan-Teh Chang
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Wan-Teh Chang
- Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Marsh Ray
- Re: [TLS] An SCSV to stop TLS fallback. Douglas Stebila
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. James Cloos
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Marsh Ray
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Daniel Kahn Gillmor
- Re: [TLS] An SCSV to stop TLS fallback. Brian Smith
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Yaron Sheffer
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Yaron Sheffer
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller