Re: [TLS] Deployment ... Re: This working group has failed

Taylor Hornby <havoc@defuse.ca> Sat, 16 November 2013 18:10 UTC

Return-Path: <havoc@defuse.ca>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 134B711E8100 for <tls@ietfa.amsl.com>; Sat, 16 Nov 2013 10:10:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4HAiWrFzufGb for <tls@ietfa.amsl.com>; Sat, 16 Nov 2013 10:09:58 -0800 (PST)
Received: from defuse.ca (defuse.ca [192.99.8.82]) by ietfa.amsl.com (Postfix) with ESMTP id 2BF4211E80E3 for <tls@ietf.org>; Sat, 16 Nov 2013 10:09:57 -0800 (PST)
Received: from [192.168.1.102] (S01065404a6902716.cg.shawcable.net [174.0.254.229]) by defuse.ca (Postfix) with ESMTPSA id B7A621006D1 for <tls@ietf.org>; Sat, 16 Nov 2013 13:10:05 -0500 (EST)
Message-ID: <5287B4F6.1060102@defuse.ca>
Date: Sat, 16 Nov 2013 11:09:58 -0700
From: Taylor Hornby <havoc@defuse.ca>
Organization: https://defuse.ca/
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CACsn0c=i2NX2CZ=Md2X+WM=RM8jAysaenz6oCxmoPt+LC5wvjA@mail.gmail.com> <52874576.9000708@gmx.net>
In-Reply-To: <52874576.9000708@gmx.net>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Deployment ... Re: This working group has failed
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Nov 2013 18:10:03 -0000

On 11/16/2013 03:14 AM, Hannes Tschofenig wrote:
> To be positive and constructive in the discussion I wonder what could be
> done to improve the situation.
> 
> Does the OpenSSL and the GnuTLS projects (and other projects) need more
> contributors?
> 
> Is there more awareness building needed to get companies to understand
> what the different libraries provide and why they should use a
> particular version?
> 
> Where does the delay come from?
> 

Firefox is one of the last browsers to get TLS 1.1 and TLS 1.2 support.
It's still not enabled by default in the stable release. Looking at
their development history is probably the best place to start.

TLS 1.1:

https://bugzilla.mozilla.org/show_bug.cgi?id=565047
https://bugzilla.mozilla.org/show_bug.cgi?id=733647

TLS 1.2:

https://bugzilla.mozilla.org/show_bug.cgi?id=480514
https://bugzilla.mozilla.org/show_bug.cgi?id=861266

Most of the delay seems to be in Bug 565047. TLS 1.1 was standardized in
2006, but the *ticket* to implement TLS 1.1 was created FOUR YEARS
later. Then, once it was, it took TWO YEARS to implement.

Non-compliant servers are wasting a ton of time in QA, too:

https://bugzilla.mozilla.org/show_bug.cgi?id=733647#c48
https://bugzilla.mozilla.org/show_bug.cgi?id=839310

Why doesn't TLS's fallback mechanism work?

So, it seems to me that:

1. The most significant delay is between when the standard is released
and when vendors realize they have to implement it. Until there's a
problem with the old version, they're hardly thinking about it.

2. Once they do realize it's necessary, it takes a long time to implement.

-- 
Taylor Hornby