Re: [TLS] An SCSV to stop TLS fallback.

Adam Langley <agl@google.com> Wed, 04 December 2013 19:20 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53D591AE2EA for <tls@ietfa.amsl.com>; Wed, 4 Dec 2013 11:20:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.08
X-Spam-Level:
X-Spam-Status: No, score=-1.08 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v92p_sZcb_xb for <tls@ietfa.amsl.com>; Wed, 4 Dec 2013 11:20:13 -0800 (PST)
Received: from mail-ve0-x233.google.com (mail-ve0-x233.google.com [IPv6:2607:f8b0:400c:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id 43D0B1AE2D7 for <tls@ietf.org>; Wed, 4 Dec 2013 11:20:13 -0800 (PST)
Received: by mail-ve0-f179.google.com with SMTP id jw12so12494663veb.38 for <tls@ietf.org>; Wed, 04 Dec 2013 11:20:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=lWx//b2piBZG0w3yGgYdvAr9a6YgvaXbDGRgMlVMlR4=; b=NZFYBct8wErYRf9ihuxq6UMNXDiUhyWTH0gTq+2FtAtW1X9qvfwFbGVFrhsDN0hsqb 7nqPZC0SxzyqUi+wmbN/qNUgqDE5RdW0X4cpYuq/A1h/SkGK4PgZkNd+O4tEEu57xvHN q8iNReZQ7/GF8DHNe6s2CDcOQGGsCyd+f8ESckLkOvKR/rrJa71Q3LtkZNy8hNxCe65U NerOiCX4V9aaqeMz+yyqf+rKwJOH9O1paT4ReFFYxbPauvLOFaq3R4gUEfWnQqoBDLJ/ QhJRCN36slsCVF6etAFGmu5Qj5bWsE9rVce8NNZGAiWcOT2j8S86EX/jlkPeYVgY50ul mnEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=lWx//b2piBZG0w3yGgYdvAr9a6YgvaXbDGRgMlVMlR4=; b=J2Ys8td+U8eRofaFYSSeDJ72TJnlYDrYB/7Lkfeczhr9p5oYgYpwzPmNylNlRQX5Q4 YYlL4XNGLJuT/CZhF9aWVFmKsBo4N/1AbRbUQiWvt4IsDTdfkVlbrfq4Sx4GRJmRlMpB 3rzG1BnkcY1ezfkJmI52RMB/yymx92HeJrvJYO5unCjv73UsVTRK0ncd7uPBATgvWCvR JP2tDtL8t7dQHY9cfVNIZNhQasqrHNE+PtBURI0Vj927FBsdckSuurBfML0HyfoiAgI0 wB+lBvwMjXKXHK/OuPZUPhd879+V7AQ17MB1Vf4XEE0xlQ53NcnsNPVk/GQNzKJZB372 m8Tg==
X-Gm-Message-State: ALoCoQl2gimeys7ER+qk+1Cu2Ek1F82ajp77lRsYZPhUaTpu6cS4D6jZNBn/Wdo1/JE8XH35lQmmGY4Ac4gbQcwpBrcWcgRQN9mFG41bm6MgjaPeBNG8eDx80cEzCznb0W4IxC4VHk+axbkWnyAYyM3BOPJkFdsO0oBxWvL5tPstuV3KnDrVc8a57djrj5fnvMr8jI2vwFZl
X-Received: by 10.52.64.140 with SMTP id o12mr1716074vds.40.1386184809890; Wed, 04 Dec 2013 11:20:09 -0800 (PST)
MIME-Version: 1.0
Received: by 10.52.100.40 with HTTP; Wed, 4 Dec 2013 11:19:49 -0800 (PST)
In-Reply-To: <529F7E9D.80302@elzevir.fr>
References: <CAL9PXLzWPY5o2SeV=kUPWxznkw+3cmpbMpYifCebfqd48VW9UA@mail.gmail.com> <CACsn0ckuupJaNKXGjP63LfZiDsV5FLOqfk902O9i1oheqtAAhA@mail.gmail.com> <CAL9PXLxueY_k0XWgTrqVxqXDgvCRhAW5UEa8YjU9_rnuZ6otTA@mail.gmail.com> <CAL2p+8TXJVmnb-v3xH6uzW+rpZ+v8J65TjO32__O3ZofQiwSig@mail.gmail.com> <CAL9PXLwKxF14CUNmN=-P6mhcr+xcGw0_Aaq7amdBXZKUsrKsKA@mail.gmail.com> <CADMpkcLRNmmoMOpJ9QVFPMEbpSyu39afipWUv4Du-assHoC1rw@mail.gmail.com> <CAL9PXLx0+bYn_KXKhvFz=D_jXfctdVihaXnj=SqB6EeEqRLOSg@mail.gmail.com> <CADMpkcKvXxHwj+Rj_j8qF84aEbWJiBiXnk9t1qfh7NychraZcQ@mail.gmail.com> <CALTJjxEDXsmdzY4+OH2AFcYfMW5zY=V4PzQK3hqB1WrqjRJB+g@mail.gmail.com> <CADMpkcJO8xZ41DDnofPinm2SMkhONW7w+cODGwnVpJtB5o8OqQ@mail.gmail.com> <CALTJjxGTmSPRNWfbRrpkFQb3nBwY63fUros+4fLsXjum=q3urA@mail.gmail.com> <529F7E9D.80302@elzevir.fr>
From: Adam Langley <agl@google.com>
Date: Wed, 4 Dec 2013 14:19:49 -0500
Message-ID: <CAL9PXLwVQ=GmZXGrh4+VEd-u1dhhvThKHfVf0qRShcR+LdExTQ@mail.gmail.com>
To: =?UTF-8?Q?Manuel_P=C3=A9gouri=C3=A9=2DGonnard?= <mpg@elzevir.fr>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] An SCSV to stop TLS fallback.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Dec 2013 19:20:14 -0000

On Wed, Dec 4, 2013 at 2:12 PM, Manuel Pégourié-Gonnard <mpg@elzevir.fr> wrote:
> Unless I'm mistaken, the problem TLS_FALLBACK_SCSV tries to adress is not
> servers that don't implement version negotiation correctly, but MITM actively
> doing a downgrade attack (and faulty middleboxes, which have the same effect).

I think the chain of sadness goes like this:

1) Some servers don't implement version negotiation correctly, or have
other bugs that happen to be solved by using SSLv3.
2) Therefore some clients implement fallback
3) Therefore attackers can trigger fallback even with correct servers.

The MITM proxies that also had downgrade bugs caused issues with a
Chrome experiment where we removed SSLv3 fallback for Google
properties because it looked, to the client, like an attack. But,
since it's a MITM proxy, it's an attack that the user has authorised.


Cheers

AGL