Re: [TLS] Downgrade protection, fallbacks, and server time

Stefan Winter <> Mon, 06 June 2016 09:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2F40112D672 for <>; Mon, 6 Jun 2016 02:08:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.325
X-Spam-Status: No, score=-3.325 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3FtqdVBZHci9 for <>; Mon, 6 Jun 2016 02:08:45 -0700 (PDT)
Received: from ( [IPv6:2001:a18:1::62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6114F12D63E for <>; Mon, 6 Jun 2016 02:08:45 -0700 (PDT)
Received: from ( [IPv6:2001:a18:1:8::155]) by (Postfix) with ESMTPS id DAB2F412DD for <>; Mon, 6 Jun 2016 11:08:43 +0200 (CEST)
References: <r470Ps-10115i-C575378C0ADA4162BA5E7152C5185A23@Williams-MacBook-Pro.local>
From: Stefan Winter <>
Openpgp: id=AD3091F3AB24E05F4F722C03C0DE6A358A39DC66; url=
Message-ID: <>
Date: Mon, 6 Jun 2016 11:08:43 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0
MIME-Version: 1.0
In-Reply-To: <r470Ps-10115i-C575378C0ADA4162BA5E7152C5185A23@Williams-MacBook-Pro.local>
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="fORSstsVXDWWJCS10v3DlQvatCFopJFro"
Archived-At: <>
Subject: Re: [TLS] Downgrade protection, fallbacks, and server time
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 06 Jun 2016 09:08:49 -0000


> I agree with Hubert. The big question is how you get the bug report to
> the server operator.

Automated mail to webmaster@domain_of_requested_hostname?

Maybe a few thousand new mails in the operator's inbox of sorts "we have
encountered a situation where your version intolerance broke things. Fix
it." (with all the technical details you can dump on an admin and expect
him to understand; which is more than a user can take) wakes them up.

That is, for domains still using webmaster@ like they should.


Stefan Winter

> With servers which are currently maintained, it should be possible,
> although difficult in specific instances to contact the owner. With
> servers which aren't being maintained, e.g. those in imbedded devices,
> the problem becomes much harder.
> If the client has a UI, it could explain the problem to the user and
> ask if the user wants to continue with degraded security. If so, then
> always use the remembered highest supported version with that server
> domain name, with perhaps occasional reminders to the user of the
> situation.
> In any case, we should be addressing our efforts to getting bugs
> fixed, not just coding around them.
> Cheers - Bill
> -------------------------------------------------------------------------
> Bill Frantz        | The first thing you need when  | Periwinkle
> (408)356-8506      | using a perimeter defense is a | 16345 Englewood Ave
> | perimeter.                     | Los Gatos, CA 95032

Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me