Re: [TLS] New Version Notification for draft-kampanakis-tls-scas-latest-00.txt (ICA Supression)
Ryan Sleevi <ryan-ietftls@sleevi.com> Fri, 25 February 2022 19:37 UTC
Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE6C93A0E1D for <tls@ietfa.amsl.com>; Fri, 25 Feb 2022 11:37:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Level:
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1F4ndGda4m2z for <tls@ietfa.amsl.com>; Fri, 25 Feb 2022 11:37:21 -0800 (PST)
Received: from mail-vs1-f47.google.com (mail-vs1-f47.google.com [209.85.217.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B12A23A139C for <tls@ietf.org>; Fri, 25 Feb 2022 11:36:58 -0800 (PST)
Received: by mail-vs1-f47.google.com with SMTP id y26so6576250vsq.8 for <tls@ietf.org>; Fri, 25 Feb 2022 11:36:58 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nByXZmKJ+RBse70FEbA7fTcpkLBGJ5u+8EhrqWDQbdQ=; b=jvlnnLlQFfiDVpq/WiVSkNRNH+vaf3aT620Fq44hA604ZApwcZVwcoYe5hO945YVbB 7U8ekrOrL9Mh+oQD8Sga/MS45u4G2sOk8CcU7te6eRa5CDX+TefWqsMolK5M0FAo8zGq MpOHS1RciJGFVtPws33onL2vXeBDo1BznZdkfH1pKWU+A8oek3NuhNLWfQopkO37b8gU 4SkfIQvngu1jWFn7Ukai7BkoVq2Ov8wE+MdqQnUVKLcSt/fNQiyqfLxSZmVOgAGaxJFv JnytTHjFoSzNTdroIGkGqJ0McKItTsmVDbaYjs993oUg7pPNonooHMNkcHo8agvxmknS 54Hw==
X-Gm-Message-State: AOAM531aAYvngSxZ37Hbb6N8/mTeRLemWpmFuyHjA6Wg3erYQ/JUy0Gi Kk7hG34p3GzBvFGvMTbUQlwBmP8ktFA=
X-Google-Smtp-Source: ABdhPJyp2iWKgYV4M9sJTNLOj/fRGZu5Bi06/CUmA7WGrxLaG8GTl4P9BPJItH1I4CNVjr3OvKvVsg==
X-Received: by 2002:a05:6102:22e2:b0:31c:1d4e:aca0 with SMTP id b2-20020a05610222e200b0031c1d4eaca0mr4426396vsh.41.1645817817384; Fri, 25 Feb 2022 11:36:57 -0800 (PST)
Received: from mail-vs1-f47.google.com (mail-vs1-f47.google.com. [209.85.217.47]) by smtp.gmail.com with ESMTPSA id f7-20020a1fcf07000000b0033211925ef8sm477369vkg.2.2022.02.25.11.36.57 for <tls@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 25 Feb 2022 11:36:57 -0800 (PST)
Received: by mail-vs1-f47.google.com with SMTP id w4so6620870vsq.1 for <tls@ietf.org>; Fri, 25 Feb 2022 11:36:57 -0800 (PST)
X-Received: by 2002:a05:6102:3906:b0:30f:84ae:35c5 with SMTP id e6-20020a056102390600b0030f84ae35c5mr3570773vsu.7.1645817816951; Fri, 25 Feb 2022 11:36:56 -0800 (PST)
MIME-Version: 1.0
References: <83f923185c3741ccb668826f5b11b0c3@EX13D01ANC003.ant.amazon.com> <CAErg=HFamywTBGriKsVd4eB=yo46Mz2JcKnnjHY8s36f12qEFg@mail.gmail.com> <180543c01fdf439cbdfd8214ec75eb76@EX13D01ANC003.ant.amazon.com> <CAErg=HGufDVCKN+PqPQ80MoVobK0N7ocVjLoDaAyqq5+Bma6TQ@mail.gmail.com> <caa7508995694a56b5b5f632ed8bf49a@EX13D01ANC003.ant.amazon.com> <YhDRHwiTXI6T78+c@LK-Perkele-VII2.locald> <CAErg=HEKPrxxg2gCqpZCOedhHpWvUmXEPVLTW8Cx2t8fSURmyQ@mail.gmail.com> <YhkBBESsgSrIygBL@LK-Perkele-VII2.locald>
In-Reply-To: <YhkBBESsgSrIygBL@LK-Perkele-VII2.locald>
From: Ryan Sleevi <ryan-ietftls@sleevi.com>
Date: Fri, 25 Feb 2022 14:36:46 -0500
X-Gmail-Original-Message-ID: <CAErg=HFAr7rXWDAVWxu80nHGD06KND9Y=53XF1ryfL0ODpEC2g@mail.gmail.com>
Message-ID: <CAErg=HFAr7rXWDAVWxu80nHGD06KND9Y=53XF1ryfL0ODpEC2g@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000058339705d8dcd2a2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9l9OtlUGbxDEDBThMGMR4Ox8NWY>
Subject: Re: [TLS] New Version Notification for draft-kampanakis-tls-scas-latest-00.txt (ICA Supression)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Feb 2022 19:37:26 -0000
On Fri, Feb 25, 2022 at 11:17 AM Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > I have hard time seeing how one could construct downgrade attack out of > this, as it just requests extra data from server on fallback. For most > other retry stuff, downgrade attack risk is obvious as less secure modes > are introduced / more secure modes are removed. I think I’m raising a question about whether or not implementations will actually do this, and arguably, to explicitly specify this if this is the expectation. In theory, yes, if the only thing changing in a fallback is an optional flag, it “shouldn’t” have concerns. In practice, however, these sorts of fallbacks (e.g. various server bug workarounds) introduce compositions that cause new and unexpected interactions. This is why the ecosystem has tried very hard to avoid fallbacks (c.f. TLS 1.3) and ensuring that both parties are able to commit to the negotiation. We saw this with the renegotiation issues getting confused state from the initial handshake. Having pathLen >= 1 would do as well, right? Sure, “without pathLen constraints” And such ICAs can already be abused for tracking if the browser does > transvalidity. Suppress ICAs flag would make it worse, by allowing other > sites to read such tracking supercookies. Transvalidity was never something widely supported outside of a specific product/library (Mozilla NSS). But yes, this is the point: this feature gives a much stronger signal. Defense is not doing transvalidity nor cached AIA chasing (since those > caches represent state that could be attacked). This closes the attack > for both with and without suppress ICAs. I fail to see how it closes it without suppress ICAs, particularly because the current draft very explicitly suggests caching as a possibility. And yes, implementations that wish to mitigate cross-context tracking are working to isolate those caches, and this was my point: doesn’t this isolation defeat the benefits of the caching / the likelihood of intermediate omission succeeding, and functionally mean that there needs to be a reliable, semi-real-time distribution mechanism for intermediates to achieve the benefits? I’m trying to look at this from a systems perspective, and tease out explicitly: what is this solution assuming exists in order to achieve the desired effect, and with those assumptions, are there simpler/less-risky/alternative technical solutions? Not to bikeshed, but because the design assumptions here are unstated and have practical and meaningful ecosystem effect, and so we at least owe that much.
- Re: [TLS] New Version Notification for draft-kamp… Kampanakis, Panos
- Re: [TLS] New Version Notification for draft-kamp… Ilari Liusvaara
- Re: [TLS] New Version Notification for draft-kamp… Ryan Sleevi
- Re: [TLS] New Version Notification for draft-kamp… Kampanakis, Panos
- Re: [TLS] New Version Notification for draft-kamp… Ilari Liusvaara
- Re: [TLS] New Version Notification for draft-kamp… Kampanakis, Panos
- Re: [TLS] New Version Notification for draft-kamp… Martin Thomson
- Re: [TLS] New Version Notification for draft-kamp… Ryan Sleevi
- Re: [TLS] New Version Notification for draft-kamp… Kampanakis, Panos
- Re: [TLS] New Version Notification for draft-kamp… Bas Westerbaan
- Re: [TLS] New Version Notification for draft-kamp… Ilari Liusvaara
- Re: [TLS] New Version Notification for draft-kamp… Kampanakis, Panos
- Re: [TLS] New Version Notification for draft-kamp… Kampanakis, Panos
- Re: [TLS] New Version Notification for draft-kamp… Ilari Liusvaara
- Re: [TLS] New Version Notification for draft-kamp… Ryan Sleevi
- Re: [TLS] New Version Notification for draft-kamp… Ilari Liusvaara
- Re: [TLS] New Version Notification for draft-kamp… Ryan Sleevi
- Re: [TLS] New Version Notification for draft-kamp… Kampanakis, Panos
- Re: [TLS] New Version Notification for draft-kamp… Bas Westerbaan