IETF Logo Mail Archive

Re: [TLS] SCSVs and SSLv3 fallback

"Yngve N. Pettersen" <yngve@spec-work.net> Sat, 06 April 2013 19:05 UTC

Return-Path: <yngve@spec-work.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28EE121F8BE9 for <tls@ietfa.amsl.com>; Sat, 6 Apr 2013 12:05:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5WrL7cqjHVVh for <tls@ietfa.amsl.com>; Sat, 6 Apr 2013 12:05:05 -0700 (PDT)
Received: from smtp.domeneshop.no (smtp.domeneshop.no [194.63.252.54]) by ietfa.amsl.com (Postfix) with ESMTP id 3A44C21F8BE0 for <tls@ietf.org>; Sat, 6 Apr 2013 12:05:03 -0700 (PDT)
Received: from 239.171.251.212.customer.cdi.no ([212.251.171.239]:55767 helo=killashandra.invalid.invalid) by smtp.domeneshop.no with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <yngve@spec-work.net>) id 1UOYQA-00063d-A7 for tls@ietf.org; Sat, 06 Apr 2013 21:05:02 +0200
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: "tls@ietf.org" <tls@ietf.org>
References: <CAGZ8ZG0i4-ZDPu=O1+Qy1DJ8oV80_eMz5J9NZrn2UC1-zYu4Sw@mail.gmail.com> <op.wu1f2u2n3dfyax@killashandra.invalid.invalid> <CAGZ8ZG1JzgnCNqfPueKr3wrvMzZKUi7mfvcAdRc-NnCDr33aLg@mail.gmail.com> <515F428E.2010900@gnutls.org> <CAGZ8ZG2OqLz8NymWzR0WNWsHz7qHLA+8eq95WFTLVFGaTK=RCA@mail.gmail.com> <D4CC5248-B1F1-498E-8058-5E17BADB3CE6@vpnc.org> <CAGZ8ZG2uvKs8-Sn9bvQyaP9t_E3BhkZFoi7Sq9wbxaHNpf_NDg@mail.gmail.com> <op.wu3cctbc3dfyax@killashandra.invalid.invalid> <CAGZ8ZG3H6wPnLZE3CkBGHMiMXvdA-VBM911t+tzPqW5ggJr2PA@mail.gmail.com> <op.wu4b9sxq3dfyax@killashandra.invalid.invalid> <CAGZ8ZG2yVYPkOFFvSKF0Q18CREHtzfeeTdZpi0Cxhi-OQBr8nA@mail.gmail.com>
Date: Sat, 06 Apr 2013 21:04:45 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Yngve N. Pettersen" <yngve@spec-work.net>
Message-ID: <op.wu4u97w03dfyax@killashandra.invalid.invalid>
In-Reply-To: <CAGZ8ZG2yVYPkOFFvSKF0Q18CREHtzfeeTdZpi0Cxhi-OQBr8nA@mail.gmail.com>
User-Agent: Opera Mail/12.15 (Win32)
Subject: Re: [TLS] SCSVs and SSLv3 fallback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Apr 2013 19:05:06 -0000

On Sat, 06 Apr 2013 18:59:06 +0200, Trevor Perrin <trevp@trevp.net> wrote:

> On Sat, Apr 6, 2013 at 5:14 AM, Yngve N. Pettersen <yngve@spec-work.net>  
> wrote:
>> On Sat, 06 Apr 2013 06:41:33 +0200, Trevor Perrin <trevp@trevp.net>  
>> wrote:
>>>
>>> Suppose the SCSV is only allowed in the specific case of an SSLv3
>>> fallback where an extension response is required or the connection
>>> will fail (due to a requirement for TACK, CT, or OCSP).
>>>
>>> In this case, it can't break anything because the connection is
>>> already going to be broken.  It's not guaranteed to work, but there's
>>> evidence it might.
>>>
>>> Does that address this concern?
>>
>>
>> No, it does not.
> [...]
>> we do not at present know if the SCSV
>> variant will work in all cases.
> [...]
>> So, using an SCSV in the SSL v3 handshake do risk breaking a handshake  
>> that
>> would otherwise have completed.
>
> No, you missed my point.
>
> I was proposing using SCSVs only in the case that an SSLv3 fallback is
> necessary, and the browser *REQUIRES* some data from the server (TACK,
> CT, OCSP), or the browser will refuse the connection.
>
> Example:  Suppose a browser has an active TACK pin for a domain, but
> sending a TLS ClientHello to that domain results in a TCP reset.
>
> Since the TACK pin exists, the browser can assume it is not contacting
> a TLS-intolerant server.

In which case the client knows what the highest supported version, and the  
extension tolerance, for the server, as you say.

In any such case the client should IMNSHO assume that it is being  
subjected to a Man In the Middle attack, using a version rollback attack,  
and abort the connection. The client should in such a situation not permit  
itself to downgrade the security of the connection, which includes _not_  
attempting to set up the connection using SSL v3, or any TLS version lower  
than what was used the last time it had a successful connection.

That is BTW, the principle embedded in my version rollback removal draft  
<http://datatracker.ietf.org/doc/draft-pettersen-tls-version-rollback-removal/>,  
which uses the server's support of the Renego extension as a proxy  
indication to determine full version and extension tolerance, and then use  
that information to assume that any failure to negotiate a connection,  
when signaling the client's highest supported version with full extension  
support in the handshake, means that the connection is being subjected to  
a version rollback attack, and terminate the connection attempt rather  
than roll back to an older version.

> But a TLS-intolerant middlebox seems like a
> possibility (though we still need more data on prevalence).  I believe
> current browsers would want to try an SSLv3 fallback in this case, to
> attempt to work around the interference.
>
> However!  SSLv3 fallback is pointless here unless the browser has some
> chance of signalling that it requires a tack, and receiving it.
>
> I am proposing giving this a chance of working, by using the same SCSV
> / ServerHello Extension idiom that has worked for RFC 5746.
>
> Of course, this might not work for any specific middlebox!  But if the
> middlebox allows unknown ciphersuites and data at the end of the SSL
> ServerHello, then it will.  And if the middlebox has been patched to
> whitelist the specific 5746 SCSV and ServerHello extension, that
> implies it could be upgraded for new uses of this idiom as well.

It could be that they have been patched, if there was a problem, but the  
Renego issue was a high profile security issue, and its solution was one  
that was being deployed in all clients within a very short period of time.  
Failure to patch any troublesome middleboxes would have caused severe  
problems for users.

I doubt any such incentive to patch will be present for most other  
extensions of TLS, particularly if the usage of the SCSV depends on the  
server being known to support the new feature.

In other words: If there is a problem in this area, you should not assume  
that it will be quickly fixed, at least not before general server support  
is past 50% or an even higher percentage of high traffic sites use it,  
which might take several years to be achieved.

-- 
Sincerely,
Yngve N. Pettersen

Using Opera's mail client: http://www.opera.com/mail/

v2.23.0 | Report a Bug | By Email