Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Marsh Ray <marsh@extendedsubset.com> Mon, 09 November 2009 20:25 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CB7543A68F2 for <tls@core3.amsl.com>; Mon, 9 Nov 2009 12:25:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.451
X-Spam-Level:
X-Spam-Status: No, score=-2.451 tagged_above=-999 required=5 tests=[AWL=0.148, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V5ZUO7ux7-ex for <tls@core3.amsl.com>; Mon, 9 Nov 2009 12:25:57 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 08B0D3A68B4 for <tls@ietf.org>; Mon, 9 Nov 2009 12:25:57 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1N7aoh-000KgB-1R for tls@ietf.org; Mon, 09 Nov 2009 20:26:23 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 2C52B6678 for <tls@ietf.org>; Mon, 9 Nov 2009 20:26:22 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX19CLfEtE5sEYICT46OI4GO6fKJx4syksiE=
Message-ID: <4AF87AE9.7090103@extendedsubset.com>
Date: Mon, 09 Nov 2009 14:26:17 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E59A16@ACLMAIL01.corp.audiocodes.com> <4AF81CFF.8010803@extendedsubset.com>, <4AF86EDF.3090004@jacaranda.org> <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E601B9@ACLMAIL01.corp.audiocodes.com>
In-Reply-To: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E601B9@ACLMAIL01.corp.audiocodes.com>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 20:25:57 -0000

Yair Elharrar wrote:
> David-Sarah Hopwood wrote:
>> To prevent this attack, they don't have to disallow connections,
>> only renegotiations in which the extension is not used.
>> 
> 
> That's a very good point. Perhaps the draft could be changed to
> reflect that? I can't see any reason why an airport kiosk would need
> to renegotiate an HTTPS connection (these devices rarely have client
> certificates installed); however it should be allowed to connect to
> secure web sites.

Here are some reasons to strongly encourage it:

A variation of the attack involves the client seeing the renegotiation
with MITM and the server sees just a single session. I believe but have
not proven that this bug is not uncommon among typical clients. If TLS
allows connections with anonymous servers (and possibly authenticated
clients), then it violates the same identity guarantee implied by the spec.

At some point in the future it will be a good indication that the client
software is poorly-maintained. Some admins will prefer not to exchange
confidential data with such systems.

Absence of the extension will also raise flags on network monitoring
equipment. Consistent usage will make detection more reliable.

Here are some reasons not to encourage it so strongly:

The attack in which the renegotiation is only seen on the client side
usually requires a logic error on the client's part, so it might not be
a concern of the TLS spec.

Somewhere, someone is doing something over TLS that is not vulnerable
because neither side ever will ever allow renegotiation. Unfortuantely,
this can only be determined by direct inspection of the code at both ends.

- Marsh