Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

[Hanno Böck <hanno@hboeck.de>]

Am Wed, 15 Oct 2014 11:22:51 +0200
schrieb Bodo Moeller <bmoeller@acm.org>:

> Note that if your server does not support formally obsolete protocol
> versions, TLS_FALLBACK_SCSV support is a no-op.
> 
> Otherwise, you're making real-world tradeoffs, and I think
> TLS_FALLBACK_SCSV is a reasonable one to make (with minimal
> server-side logic to achieve the objective), not "punishment".

Can you quantify that tradeoff? How many devices are there really out
there that would break? I'd like to have this discussions with
hard numbers.

I mean we are not talking about legacy compatibility. We're talking
about compatibility with broken stuff.

I want to weight my voice in support of Florian. What we have here is
an out-of-protocol workaround with security and compatibility
implications and a solution that adds another workaround on top of that.

To compare the two:

One solution (keeping downgrade-workarounds and add SCSV):
* Compatiblity with a likely small number (but I'm waiting for hard
  numbers here) of broken legacy hard/software
* Add more complexity to TLS
* Support people who deploy broken stuff, punish people who support
  completely correct configs

Other solution (remove downgrade-workarounds):
* Break some compatiblity with broken devices
* Reduce complexity of TLS in browsers
* Support people who deploy correct implementations, punish people who
  support broken stuff

I think the argument is clearly in favor of the latter solution unless
you have some very good counterarguments.

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: BBB51E42