Re: [TLS] I-D Action: draft-ietf-tls-downgrade-scsv-03.txt

Jeffrey Walton <noloader@gmail.com> Tue, 16 December 2014 00:42 UTC

Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0355A1A6FEC for <tls@ietfa.amsl.com>; Mon, 15 Dec 2014 16:42:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, LOTS_OF_MONEY=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xEx5vDF8Rm_j for <tls@ietfa.amsl.com>; Mon, 15 Dec 2014 16:42:41 -0800 (PST)
Received: from mail-ie0-x229.google.com (mail-ie0-x229.google.com [IPv6:2607:f8b0:4001:c03::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FDAF1A01A9 for <tls@ietf.org>; Mon, 15 Dec 2014 16:42:41 -0800 (PST)
Received: by mail-ie0-f169.google.com with SMTP id y20so12107360ier.28 for <tls@ietf.org>; Mon, 15 Dec 2014 16:42:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=TyU8AQ9llX63+dpkza3XT1N8ktxuotZJwpOHYoRatao=; b=PD7NCaOQT4xl8+3mwulXkdK5W92l3Iy5w+0GGsaNzIz17uEuGXHS1ngbJOMrzHlSo0 YJ/EvD7OCGR4i0NiAhw6nd6pTooVSekBp1l5zacGn+7BWhsIZjb+01OGWR20efahQjxj YQsT+rA+SWhS+YBK+N7EO2ycZm0DHCsyD8lY8qW980xgM/nn5kS7VXDDWUG508iNKxKO iERmBCwpi3JhJzHIAfKuYHc1VncHYjj3A0DwJyKqR28BfZUNC91niIEgQok7PLM8b308 3gb7oTMiSKtWSGuj6SAHoiNZBKH8HUq4JCHUrMpNplhUi0AqcF/ECrcnRiI5nf2evGg5 /vdQ==
MIME-Version: 1.0
X-Received: by 10.107.15.73 with SMTP id x70mr31245078ioi.8.1418690560693; Mon, 15 Dec 2014 16:42:40 -0800 (PST)
Received: by 10.107.134.170 with HTTP; Mon, 15 Dec 2014 16:42:40 -0800 (PST)
In-Reply-To: <548F56C8.70104@fifthhorseman.net>
References: <20141215214116.159171B085@ld9781.wdf.sap.corp> <548F56C8.70104@fifthhorseman.net>
Date: Mon, 15 Dec 2014 19:42:40 -0500
Message-ID: <CAH8yC8nmrVKyz+v3EJgX48c00xqGzG1fq=ryc0aNP-vY28cKMw@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/91ZmLPNyPjvqdCCYNPuJW_C7l9M
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-downgrade-scsv-03.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Dec 2014 00:42:43 -0000

On Mon, Dec 15, 2014 at 4:46 PM, Daniel Kahn Gillmor
<dkg@fifthhorseman.net>; wrote:
> On 12/15/2014 04:41 PM, mrex@sap.com (Martin Rex) wrote:
>> The scenario where this problem can hit is with non-malicious
>> middleboxes that do not recognize (and therefore do not permit)
>> TLSv1.2 handshakes.
>
> How do we distinguish between these non-malicious middleboxes that do
> not permit TLSv1.2 because they don't recognize it and malicious
> middleboxes that want to force modern peers into a downgrade by not
> permitting TLSv1.2?
>
> Do the non-malicious middleboxes use RFC 3514?
>
That's the million dollar question: how can you tell "good" bad guys
from the "bad" bad guys.

I think the answer is: you can't.

If browsers and other software want to downgrade in an insecure
fashion, then they are on their own. Don't placate them in their
efforts and weaken the system for everyone else.