IETF Logo Mail Archive

Re: [TLS] New Version Notification for draft-kampanakis-tls-scas-latest-00.txt (ICA Supression)

Ryan Sleevi <ryan-ietftls@sleevi.com> Fri, 25 February 2022 19:37 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE6C93A0E1D for <tls@ietfa.amsl.com>; Fri, 25 Feb 2022 11:37:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.398
X-Spam-Level:
X-Spam-Status: No, score=-1.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1F4ndGda4m2z for <tls@ietfa.amsl.com>; Fri, 25 Feb 2022 11:37:21 -0800 (PST)
Received: from mail-vs1-f47.google.com (mail-vs1-f47.google.com [209.85.217.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B12A23A139C for <tls@ietf.org>; Fri, 25 Feb 2022 11:36:58 -0800 (PST)
Received: by mail-vs1-f47.google.com with SMTP id y26so6576250vsq.8 for <tls@ietf.org>; Fri, 25 Feb 2022 11:36:58 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nByXZmKJ+RBse70FEbA7fTcpkLBGJ5u+8EhrqWDQbdQ=; b=jvlnnLlQFfiDVpq/WiVSkNRNH+vaf3aT620Fq44hA604ZApwcZVwcoYe5hO945YVbB 7U8ekrOrL9Mh+oQD8Sga/MS45u4G2sOk8CcU7te6eRa5CDX+TefWqsMolK5M0FAo8zGq MpOHS1RciJGFVtPws33onL2vXeBDo1BznZdkfH1pKWU+A8oek3NuhNLWfQopkO37b8gU 4SkfIQvngu1jWFn7Ukai7BkoVq2Ov8wE+MdqQnUVKLcSt/fNQiyqfLxSZmVOgAGaxJFv JnytTHjFoSzNTdroIGkGqJ0McKItTsmVDbaYjs993oUg7pPNonooHMNkcHo8agvxmknS 54Hw==
X-Gm-Message-State: AOAM531aAYvngSxZ37Hbb6N8/mTeRLemWpmFuyHjA6Wg3erYQ/JUy0Gi Kk7hG34p3GzBvFGvMTbUQlwBmP8ktFA=
X-Google-Smtp-Source: ABdhPJyp2iWKgYV4M9sJTNLOj/fRGZu5Bi06/CUmA7WGrxLaG8GTl4P9BPJItH1I4CNVjr3OvKvVsg==
X-Received: by 2002:a05:6102:22e2:b0:31c:1d4e:aca0 with SMTP id b2-20020a05610222e200b0031c1d4eaca0mr4426396vsh.41.1645817817384; Fri, 25 Feb 2022 11:36:57 -0800 (PST)
Received: from mail-vs1-f47.google.com (mail-vs1-f47.google.com. [209.85.217.47]) by smtp.gmail.com with ESMTPSA id f7-20020a1fcf07000000b0033211925ef8sm477369vkg.2.2022.02.25.11.36.57 for <tls@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 25 Feb 2022 11:36:57 -0800 (PST)
Received: by mail-vs1-f47.google.com with SMTP id w4so6620870vsq.1 for <tls@ietf.org>; Fri, 25 Feb 2022 11:36:57 -0800 (PST)
X-Received: by 2002:a05:6102:3906:b0:30f:84ae:35c5 with SMTP id e6-20020a056102390600b0030f84ae35c5mr3570773vsu.7.1645817816951; Fri, 25 Feb 2022 11:36:56 -0800 (PST)
MIME-Version: 1.0
References: <83f923185c3741ccb668826f5b11b0c3@EX13D01ANC003.ant.amazon.com> <CAErg=HFamywTBGriKsVd4eB=yo46Mz2JcKnnjHY8s36f12qEFg@mail.gmail.com> <180543c01fdf439cbdfd8214ec75eb76@EX13D01ANC003.ant.amazon.com> <CAErg=HGufDVCKN+PqPQ80MoVobK0N7ocVjLoDaAyqq5+Bma6TQ@mail.gmail.com> <caa7508995694a56b5b5f632ed8bf49a@EX13D01ANC003.ant.amazon.com> <YhDRHwiTXI6T78+c@LK-Perkele-VII2.locald> <CAErg=HEKPrxxg2gCqpZCOedhHpWvUmXEPVLTW8Cx2t8fSURmyQ@mail.gmail.com> <YhkBBESsgSrIygBL@LK-Perkele-VII2.locald>
In-Reply-To: <YhkBBESsgSrIygBL@LK-Perkele-VII2.locald>
From: Ryan Sleevi <ryan-ietftls@sleevi.com>
Date: Fri, 25 Feb 2022 14:36:46 -0500
X-Gmail-Original-Message-ID: <CAErg=HFAr7rXWDAVWxu80nHGD06KND9Y=53XF1ryfL0ODpEC2g@mail.gmail.com>
Message-ID: <CAErg=HFAr7rXWDAVWxu80nHGD06KND9Y=53XF1ryfL0ODpEC2g@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000058339705d8dcd2a2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9l9OtlUGbxDEDBThMGMR4Ox8NWY>
Subject: Re: [TLS] New Version Notification for draft-kampanakis-tls-scas-latest-00.txt (ICA Supression)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Feb 2022 19:37:26 -0000

On Fri, Feb 25, 2022 at 11:17 AM Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> I have hard time seeing how one could construct downgrade attack out of
> this, as it just requests extra data from server on fallback. For most
> other retry stuff, downgrade attack risk is obvious as less secure modes
> are introduced / more secure modes are removed.


I think I’m raising a question about whether or not implementations will
actually do this, and arguably, to explicitly specify this if this is the
expectation. In theory, yes, if the only thing changing in a fallback is an
optional flag, it “shouldn’t” have concerns. In practice, however, these
sorts of fallbacks (e.g. various server bug workarounds) introduce
compositions that cause new and unexpected interactions. This is why the
ecosystem has tried very hard to avoid fallbacks (c.f. TLS 1.3) and
ensuring that both parties are able to commit to the negotiation. We saw
this with the renegotiation issues getting confused state from the initial
handshake.

Having pathLen >= 1 would do as well, right?


Sure, “without pathLen constraints”

And such ICAs can already be abused for tracking if the browser does
> transvalidity. Suppress ICAs flag would make it worse, by allowing other
> sites to read such tracking supercookies.


Transvalidity was never something widely supported outside of a specific
product/library (Mozilla NSS). But yes, this is the point: this feature
gives a much stronger signal.

Defense is not doing transvalidity nor cached AIA chasing (since those
> caches represent state that could be attacked). This closes the attack
> for both with and without suppress ICAs.


I fail to see how it closes it without suppress ICAs, particularly because
the current draft very explicitly suggests caching as a possibility.  And
yes, implementations that wish to mitigate cross-context tracking are
working to isolate those caches, and this was my point: doesn’t this
isolation defeat the benefits of the caching / the likelihood of
intermediate omission succeeding, and functionally mean that there needs to
be a reliable, semi-real-time distribution mechanism for intermediates to
achieve the benefits?

I’m trying to look at this from a systems perspective, and tease out
explicitly: what is this solution assuming exists in order to achieve the
desired effect, and with those assumptions, are there
simpler/less-risky/alternative technical solutions? Not to bikeshed, but
because the design assumptions here are unstated and have practical and
meaningful ecosystem effect, and so we at least owe that much.

v2.23.0 | Report a Bug | By Email