Re: [TLS] Deployment ... Re: This working group has failed

Yoav Nir <ynir@checkpoint.com> Sun, 17 November 2013 11:13 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA37311E8AC2 for <tls@ietfa.amsl.com>; Sun, 17 Nov 2013 03:13:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.166
X-Spam-Level:
X-Spam-Status: No, score=-10.166 tagged_above=-999 required=5 tests=[AWL=0.433, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j3abFtmhzX4v for <tls@ietfa.amsl.com>; Sun, 17 Nov 2013 03:13:13 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id A10BA11E8241 for <tls@ietf.org>; Sun, 17 Nov 2013 03:13:03 -0800 (PST)
Received: from DAG-EX10.ad.checkpoint.com ([194.29.34.150]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id rAHBCuK9000346; Sun, 17 Nov 2013 13:12:56 +0200
X-CheckPoint: {5288A2A0-3-1B221DC2-1FFFF}
Received: from IL-EX10.ad.checkpoint.com ([169.254.2.146]) by DAG-EX10.ad.checkpoint.com ([169.254.3.213]) with mapi id 14.03.0123.003; Sun, 17 Nov 2013 13:12:56 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
Thread-Topic: [TLS] Deployment ... Re: This working group has failed
Thread-Index: AQHO4rSnkbVJpNqTEEuoz3WRzLISMZooBy4AgAER/4CAAAvQgA==
Date: Sun, 17 Nov 2013 11:12:55 +0000
Message-ID: <11586138-5410-404B-905F-CEA1DEBF6DE1@checkpoint.com>
References: <CACsn0c=i2NX2CZ=Md2X+WM=RM8jAysaenz6oCxmoPt+LC5wvjA@mail.gmail.com> <52874576.9000708@gmx.net> <5287B4F6.1060102@defuse.ca> <52889ACF.3050302@gmx.net>
In-Reply-To: <52889ACF.3050302@gmx.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.21.100]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-ID: <9C154E4BDE9E274C9F5B63B3130C2477@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "tls@ietf.org list" <tls@ietf.org>
Subject: Re: [TLS] Deployment ... Re: This working group has failed
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Nov 2013 11:13:19 -0000

On Nov 17, 2013, at 12:30 PM, Hannes Tschofenig <Hannes.Tschofenig@gmx.net> wrote:

> Hi Taylor,
> 
> Would be interesting to hear from someone working for Mozilla (like Ekr, our TLS WG chair) why things are progressing so slowly and what exactly their problem is.
> 

Hi Hannes

We have heard before from people at Google and at Microsoft. Google only added TLS 1.2 very recently, and Microsoft added it very early, but disabled it by default for a long time.

There were issues with failures of connections attempts using TLS 1.2.  There have been issues with 1.1, but 1.2 produced much more of them.

 1. TLS 1.2 is the first version to require support of extensions. Some servers broke when extensions existed.
 2. Some servers broke on unrecognized extensions.
 3. Some server break on missing extensions - certain servers will not accept a TLS 1.2 ClientHello without the SignatureAlgorithm extension

Combining 1 & 3, you can't win. Some servers just won't work.

I don't know what changed. Perhaps the percentage of servers that are broken like that has diminished. But not it looks like the browser vendors have deemed it as sufficiently low to allow them to make this on by default.

Yoav