Re: [TLS] Downgrade SCSV info
Rob Trace <Rob.Trace@microsoft.com> Thu, 13 November 2014 03:54 UTC
Return-Path: <Rob.Trace@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA5FF1A1B5D for <tls@ietfa.amsl.com>; Wed, 12 Nov 2014 19:54:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gfoQrDbHKUaz for <tls@ietfa.amsl.com>; Wed, 12 Nov 2014 19:54:35 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0746.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::746]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D00F41A1B51 for <tls@ietf.org>; Wed, 12 Nov 2014 19:54:34 -0800 (PST)
Received: from CY1PR0301MB0892.namprd03.prod.outlook.com (25.160.164.23) by CY1PR0301MB0891.namprd03.prod.outlook.com (25.160.164.22) with Microsoft SMTP Server (TLS) id 15.1.16.15; Thu, 13 Nov 2014 03:54:12 +0000
Received: from CY1PR0301MB0892.namprd03.prod.outlook.com ([25.160.164.23]) by CY1PR0301MB0892.namprd03.prod.outlook.com ([25.160.164.23]) with mapi id 15.01.0016.006; Thu, 13 Nov 2014 03:54:12 +0000
From: Rob Trace <Rob.Trace@microsoft.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: Re: [TLS] Downgrade SCSV info
Thread-Index: Ac/+9O5weiJnd0SQTLmp/+CUEBE1LA==
Date: Thu, 13 Nov 2014 03:54:12 +0000
Message-ID: <d51dcf00811740edb16aade02a5d8fe5@CY1PR0301MB0892.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:67c:370:136:f443:da37:4451:c37d]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB0891;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB0891;
x-forefront-prvs: 0394259C80
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(189002)(41574002)(4396001)(31966008)(21056001)(108616004)(77096003)(106356001)(77156002)(40100003)(120916001)(99396003)(33646002)(110136001)(19625215002)(20776003)(101416001)(95666004)(99286002)(62966003)(2351001)(19300405004)(450100001)(122556002)(16236675004)(107046002)(105586002)(46102003)(64706001)(107886001)(15975445006)(2656002)(87936001)(19580395003)(76576001)(92566001)(15202345003)(97736003)(74316001)(86362001)(2501002)(54356999)(50986999)(86612001)(3826002)(24736002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB0891; H:CY1PR0301MB0892.namprd03.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Content-Type: multipart/alternative; boundary="_000_d51dcf00811740edb16aade02a5d8fe5CY1PR0301MB0892namprd03_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/7MB8E-7juKD8l5pHdacQV9AhhKA
Subject: Re: [TLS] Downgrade SCSV info
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Nov 2014 03:54:38 -0000
> Right, although it couldn't hurt for the client to try TLS 1.1 next in case > it sees an inappropriate_fallback alert. (Then in the end you have > essentially the same outcome as if trying the protocols in decreasing order, > in the presence of an active attacker forcing you to downgrade.) When we looked at the fallback to HTTP 1.1, it was just as Martin stated and there were almost 0 times when the connection completed over TLS 1.1. The 1.1 fallback was a lot of wasted roundtrips and did not provide any value. I am not sure what a wasted fallback to HTTP 1.1 would provide with SCSV, in that the TLS 1.0 fallback would still result in the inappropriate_fallback before we send any data. Thanks!! -Rob
- [TLS] Downgrade SCSV info Martin Thomson
- Re: [TLS] Downgrade SCSV info Bodo Moeller
- Re: [TLS] Downgrade SCSV info Martin Thomson
- Re: [TLS] Downgrade SCSV info Bodo Moeller
- Re: [TLS] Downgrade SCSV info Rob Trace
- Re: [TLS] Downgrade SCSV info Bodo Moeller