IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Bodo Moeller <bmoeller@acm.org> Mon, 13 October 2014 23:47 UTC

Return-Path: <SRS0=V2Ir=7E=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06ECB1A1A00 for <tls@ietfa.amsl.com>; Mon, 13 Oct 2014 16:47:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.714
X-Spam-Level:
X-Spam-Status: No, score=-1.714 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Gcb7doooE-L for <tls@ietfa.amsl.com>; Mon, 13 Oct 2014 16:47:17 -0700 (PDT)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.130]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 339A51A008B for <tls@ietf.org>; Mon, 13 Oct 2014 16:47:17 -0700 (PDT)
Received: from mail-yh0-f46.google.com (mail-yh0-f46.google.com [209.85.213.46]) by mrelayeu.kundenserver.de (node=mreue006) with ESMTP (Nemesis) id 0M4gG1-1YNI3L35iv-00z2LZ; Tue, 14 Oct 2014 01:47:15 +0200
Received: by mail-yh0-f46.google.com with SMTP id f73so4045596yha.5 for <tls@ietf.org>; Mon, 13 Oct 2014 16:47:12 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.236.228.33 with SMTP id e31mr2548001yhq.56.1413244032572; Mon, 13 Oct 2014 16:47:12 -0700 (PDT)
Received: by 10.170.194.15 with HTTP; Mon, 13 Oct 2014 16:47:12 -0700 (PDT)
In-Reply-To: <CAFewVt747+NJZxGohr_1=TqW=Pcu7qp7tz=8qYWP=Zg+vRPsPw@mail.gmail.com>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <CABkgnnUxeouqDNhYFGDC2xqUaT8r7zFvAT5U1OUGJwHwCOuOwA@mail.gmail.com> <CADMpkcJKJiTCQXdDbepyiAf22J9VC03DDgiE521n3NsNnFmALA@mail.gmail.com> <CABkgnnWo9KGMkRrmA0wkJ5Dfnzh2Vo-cveCe_UeH71F8K_4oWw@mail.gmail.com> <CADMpkcJpHeKGV-xc4Uon8KWj=+p=6nQO1_rxb6sRN04nFX--gQ@mail.gmail.com> <CABkgnnU8DyzRvvq1e24bUsZdwx48mFOC6KstZaUCbvyQ-WwesQ@mail.gmail.com> <CADMpkc+wXf=SG3=C==SV77YXZdbXnbXspJLRZ1UORPF-WbVMEw@mail.gmail.com> <CAFewVt5mEodyqB6TWCmvOUBek9Bnb43bmw5mAqph-hQU=F=EpA@mail.gmail.com> <CAFewVt40ewzwujJZ8KQYYALnPjBSZnF-bDiVaz54URA6MaqPEg@mail.gmail.com> <CADMpkcKh=6Y9u_utfLiccZTUKT-BV1+3NQO7OzDN-Dn38sx-TQ@mail.gmail.com> <CAFewVt747+NJZxGohr_1=TqW=Pcu7qp7tz=8qYWP=Zg+vRPsPw@mail.gmail.com>
Date: Tue, 14 Oct 2014 01:47:12 +0200
Message-ID: <CADMpkcKE5fLuJngj9V1wCYFa8dcr9Hxw02y8Bk9Pb56cRZYYkQ@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c231fc8ae5850505568456"
X-Provags-ID: V02:K0:iTgc4hdTCunewPz+RYxzNPssjsRxEcZpld53/XFnhMv Yd15Ccsdd9qUUHeymAro62hAeXfO22A0zoODxc3TIB/duY06FO WBuejyGYsTGBo/RZhG2C0IFVQ4Ji5uvjTBwqqgU96UGxL2j4PI f2VmxsHbu0Nfe2tE1CJPeda02NAsf5Hib39ZT7IpY4fA1duHJf IrKcPtQyGBk6QdOftB9vvbxH+PG2XLJrRUeWGwtA2ianVeKU8y Cj0wHp6AgYhcmB01p9HqNxnQBiPgxtugNrOCjTmXDSwbzfwhhH +IYmIF3v0QY0i/N/VCcsAj3TEm1L4PZiIX4K147SxJB04rb9/l qCWajF9X6n4q5CGvM6cvFAAfwDK2Xa9uJFr1MeD6I87HLaF1ak CQeMF5nBnuc6p2Fuvvyy030K39A6zWhIrVKleDQtlAYv/Leuv1 upOxt
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/DW9fK7NdzlrIFqqWxPeu5HkalBM
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Oct 2014 23:50:07 -0000

Brian Smith <brian@briansmith.org>:

[...]

> 3. Server is upgraded to support TLS 1.2 or higher.
> 4. Client attempts to handshake with client_version == TLS 1.1 and a
> resumed session ticket.
>
> There are four cases to consider:
>
[...]

> CASE 3: Client did not include the TLS_FALLBACK_SCSV, the server
> forgot session state when it was upgraded. The server starts a new TLS
> 1.1 session. Thus, the downgrade protection mechanism has failed to
> prevent a version downgrade.
>

Right, this is the most problematic case. Resuming a session using the old
protocol version (if the server still recognizes that session) is one
thing, but using the old version for a new session is another.

However, this issue really just follows from the relevant language in the
TLS RFCs: "Whenever a client already knows the highest protocol version
known to a server (for example, when resuming a session), it SHOULD
initiate the connection in that native protocol." If the client follows
these directions, using the old protocol version even in case the server
gets upgraded is expected.


> Previously I'd assumed you'd want to keep "normal" behavior (simply
> continue
> > to use the previous protocol version), but I don't see a compelling
> reason
> > for the specification to prescribe that to clients.
>
> Doing that also allows version downgrade to succeed inappropriately in
> the case where the server's capabilities were improved during the
> lifetime of a session cached by a client.
>
> I think the best solution is to take my original suggestion (i.e. keep
> the current logic, but make it more clear),


Now I'm a bit confused. If you consider that consequence (using the old
version if server capabilities have improved since) "improper", why do you
suggest keeping the current logic?




> I think it is realistic to expect that servers that implement the
> inappropriate_fallback logic to implement at least TLS 1.2 (or at
> least TLS 1.1),


I'm not so sure -- the TLS_FALLBACK_SCSV mechanism by design works equally
well with TLS 1.0 and can be easily retrofitted at least in principle.
Thus, to allow essentially *every* implementation to benefit from the SCSV,
I wouldn't want to require any higher version.

Boo

v2.43.4 | Report a Bug | By Email | System Status