Re: [TLS] Deprecating SSLv3

[Watson Ladd <watsonbladd@gmail.com>]

On Nov 24, 2014 10:30 AM, "Martin Rex" <mrex@sap.com> wrote:
>
> Hubert Kario wrote:
> > On Monday 24 November 2014 18:06:22 Martin Rex wrote:
> >> Hubert Kario wrote:
> >> > Anyway, you should file a complaint to the manufacturer that it
haven't
> >> > addressed the POODLE vulnerability in their product (or that it
doesn't
> >> > implement advertised protocols properly).
> >>
> >> Poodle is a *PURE* Web-Browser and client problem.
> >> Servers are not vulnerable to Poodle, and this site *REQUIRES*
> >> TLS client certs for authentication.
> >>
> >> Disabling SSLv3 on servers is only a practical mitigation against
> >> the stupid "downgrade dance" that so many browsers perform.
> >> It's difficult for me to understand how someone could implement
> >> the downgrade dance and *NOT* provide a switch to turn it off after
> >> addressing the rfc5746 tls renegotiation issue.
> >
> > To exploit POODLE you need fallback dance *or* support just SSLv3. It's
not
> > limited to web browsers (and there are some clients that do fallback
and are
> > not browsers, e.g. curl).
> >
> > Also, are you saying that an *automated* system won't retry on
connection
> > failure?
>
> _very_ few, if any.  Exactly none of ours.
>
>
> >
> > We're talking about average of 128 failed requests per byte decrypted,
> > even if we fail just every first connection on a system that queries
> > remote server every 5 minutes 24/7 that will require just a month to
> > decrypt 16 byte password/authentication string. There have been far
> > more dedicated and longer attacks in the wild.
>
> You may have not understood the Problem.
>
> It's a plaintext recovery of 1 byte per 256 requests on average
> and you can only recover the last byte of any CBC ciphertext block,
> not the other 7 (3DES/IDEA) or other 15(AES).  And you will need a
> high probability that the secret you want to recover is at a static
> position of the requests that you're attacking.
>
> A poodle attack will be pretty "noisy" on the server, so for many
> usage scenarios, this will be sufficient deterrent, just like many
> apartments have no bullet-proof windows and many doors have not
> pick-proof locks.

What part of "don't hack from your own machine" do you think the NSA
doesn't understand? Even if you noticed the attack, and it isn't from the
government,  what deterrence is there? There was more law and order in the
Wild West.

>
>
> And you could add random URL-parameters or other insert additional
> header fields before the credentials if you absolutely want to
> keep doing disclosing authentication rather than simply switching
> to using TLS client certs for the requests.
>
>
> >
> > SSLv3 has known security problems,
> > more issues may be discovered in the future.
>
> TLS has long known weaknesses and well-documented limitations.
>
> When you remain within the safe usage areas, even SSLv3 is still secure.

Trivial statement is trivial. What are the safe use areas exactly?

>
> Really, what we should worry about is the current usage scenarios
> where even TLSv1.2 can not provide protection, and one of these
> is Cross-Site-Request-Forgery as currently offered by Web-Browsers.
>
>
> >
> > So while use of certificates may mitigate this problem, we may not
> > ever know if it mitigates all problems SSLv3 has.
>
> I'm not expecting any. Honestly.
>
>
> >
> > For example, issues like 3-shake won't be fixed in SSLv3.
>
> I never offered TLS renegotiation to applications in our implementation,
> and I hardwired it to a fatal alert on the server in 2010.
>
> Conservative designs don't have to care about 3-shake.

Why does a protocol like TLS have options to shoot yourself in the foot?
Also, I seem to recall quite a bit of discussion of how renegotiation was a
simple and elegant feature when the suggestion to remove it was made. I
suppose it is when you hardwire it to fail.

Conservative protocol designs minimize options and ensure that the easiest
option is the secure one. They stress simplicity of implementation to ease
auditing implementations, and thus are codesigned with an implementation.
Features are bugs.

>
> There are several more implementation pitfalls hidden in the
> TLS renegotiation design.

Care to share? Or when these are exploited widely, will you insist they
were well-understood limitations?

>
>
> >
> > In my opinion, continued use of it for security-critical applications
> > qualifies for gross negligence.
>
> Nope.  Continued offering of SSLv3-only is the problem here.
> The original SSLv3 and TLS design protects the security parameters
> of the TLS handshake, so a TLSv1.0 capable client that does not
> send ClientHello.client_version = { 3,1 } (or can be coerced to not
> signale TLSv1.0 support by a network-based attacker) is the problem.
>
>
> >
> > Do we really need the repeat of the MD5 signatures story or can we
learn on
> > our own (as in industry) mistakes?
>
>
> It would already be an improvement if the TLS WG stopped (mostly) ignoring
> problems (such as Vaudenay's), or didn't add new problems (such as
> making (rsa,md5) a mandatory-to-implement TLSv1.2 signature algorithm).

And by depreciating a protocol version that doesn't use a secure record
layer because of Vaudenay's attack we are responding to the problem.
Vaudenay's padding oracle is exploited in Lucky 13. Any response is going
to involve depreciating protocols because of well-understood limitations.

Sincerely,
Watson Ladd

>
>
> -Martin
>
> _______________________________________________
> TLS mailing list
>TLS@ietf.org
>https://www.ietf.org/mailman/listinfo/tls