Re: [TLS] Downgrade protection, fallbacks, and server time

Stefan Winter <stefan.winter@restena.lu> Mon, 06 June 2016 09:08 UTC

Return-Path: <stefan.winter@restena.lu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F40112D672 for <tls@ietfa.amsl.com>; Mon, 6 Jun 2016 02:08:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.325
X-Spam-Level:
X-Spam-Status: No, score=-3.325 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3FtqdVBZHci9 for <tls@ietfa.amsl.com>; Mon, 6 Jun 2016 02:08:45 -0700 (PDT)
Received: from smtprelay.restena.lu (smtprelay.restena.lu [IPv6:2001:a18:1::62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6114F12D63E for <tls@ietf.org>; Mon, 6 Jun 2016 02:08:45 -0700 (PDT)
Received: from aragorn.restena.lu (aragorn.restena.lu [IPv6:2001:a18:1:8::155]) by smtprelay.restena.lu (Postfix) with ESMTPS id DAB2F412DD for <tls@ietf.org>; Mon, 6 Jun 2016 11:08:43 +0200 (CEST)
To: tls@ietf.org
References: <r470Ps-10115i-C575378C0ADA4162BA5E7152C5185A23@Williams-MacBook-Pro.local>
From: Stefan Winter <stefan.winter@restena.lu>
Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Message-ID: <57553D9B.3000704@restena.lu>
Date: Mon, 6 Jun 2016 11:08:43 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0
MIME-Version: 1.0
In-Reply-To: <r470Ps-10115i-C575378C0ADA4162BA5E7152C5185A23@Williams-MacBook-Pro.local>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="fORSstsVXDWWJCS10v3DlQvatCFopJFro"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/A5_LLiwXkhpsq1MnhnXkBxLD5MI>
Subject: Re: [TLS] Downgrade protection, fallbacks, and server time
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jun 2016 09:08:49 -0000

Hi,

>
>
>
> I agree with Hubert. The big question is how you get the bug report to
> the server operator.

Automated mail to webmaster@domain_of_requested_hostname?

Maybe a few thousand new mails in the operator's inbox of sorts "we have
encountered a situation where your version intolerance broke things. Fix
it." (with all the technical details you can dump on an admin and expect
him to understand; which is more than a user can take) wakes them up.

That is, for domains still using webmaster@ like they should.

Greetings,

Stefan Winter

>
> With servers which are currently maintained, it should be possible,
> although difficult in specific instances to contact the owner. With
> servers which aren't being maintained, e.g. those in imbedded devices,
> the problem becomes much harder.
>
> If the client has a UI, it could explain the problem to the user and
> ask if the user wants to continue with degraded security. If so, then
> always use the remembered highest supported version with that server
> domain name, with perhaps occasional reminders to the user of the
> situation.
>
> In any case, we should be addressing our efforts to getting bugs
> fixed, not just coding around them.
>
> Cheers - Bill
>
> -------------------------------------------------------------------------
> Bill Frantz        | The first thing you need when  | Periwinkle
> (408)356-8506      | using a perimeter defense is a | 16345 Englewood Ave
> www.pwpconsult.com | perimeter.                     | Los Gatos, CA 95032
>


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66