Re: [TLS] To extend or not to extend
Bodo Moeller <bmoeller@acm.org> Sun, 15 November 2009 22:22 UTC
Return-Path: <bmoeller@acm.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0B7FC3A68FD for <tls@core3.amsl.com>; Sun, 15 Nov 2009 14:22:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.624
X-Spam-Level:
X-Spam-Status: No, score=-100.624 tagged_above=-999 required=5 tests=[AWL=-0.788, BAYES_40=-0.185, HELO_EQ_DE=0.35, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PtFli0kpNMrQ for <tls@core3.amsl.com>; Sun, 15 Nov 2009 14:22:49 -0800 (PST)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.10]) by core3.amsl.com (Postfix) with ESMTP id 174663A6781 for <tls@ietf.org>; Sun, 15 Nov 2009 14:22:49 -0800 (PST)
Received: from [10.1.64.105] (216-239-44-65.google.com [216.239.44.65]) by mrelayeu.kundenserver.de (node=mrbap0) with ESMTP (Nemesis) id 0Lf0SV-1O0OBV0UDX-00qDlu; Sun, 15 Nov 2009 23:22:47 +0100
From: Bodo Moeller <bmoeller@acm.org>
To: Nelson B Bolyard <nelson@bolyard.me>
In-Reply-To: <4B006F37.6030905@bolyard.me>
References: <AC1CFD94F59A264488DC2BEC3E890DE5091A760A@xmb-sjc-225.amer.cisco.com> <20091115113857.4E04D69F7B2@kilo.networkresonance.com> <4B006F37.6030905@bolyard.me>
Message-Id: <F1240B36-28C3-44EC-9B42-9C099F83365D@acm.org>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Sun, 15 Nov 2009 14:22:43 -0800
X-Mailer: Apple Mail (2.936)
X-Provags-ID: V01U2FsdGVkX1/wSdieUYsTgbCpu/jzsgrZ3TsWWZ+UphrAdOc fJnpoIM362Zhquebee+Ph6Rjc8PK+kdAF71j7vpb5MBQaTxYcH nbCoLVQKuRT5C+9QIZPLA==
Cc: tls@ietf.org
Subject: Re: [TLS] To extend or not to extend
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2009 22:22:50 -0000
On Nov 15, 2009, at 1:14 PM, Nelson B Bolyard wrote: > On 2009-11-15 03:38 PDT, Eric Rescorla wrote: > >> So, thinking further on my earlier message, I think the following >> elaboration will work a bit better: >> >> - Strict clients (those which wish to insist on RI) generate RI on >> initial handshake. As I said earlier, I don't think this is >> useful, but it works. >> >> - Lenient clients do not generate RI on initial handshake but do >> generate it on rehandshake with TLS 1.0+ only. >> + Moderately lenient clients can fail if the server does not >> do RI. >> + Really lenient clients can ignore the server's failure to >> do RI. > > Aren't your so-called Lenient clients still 100% vulnerable to the > attack? > > What prevents their initial handshakes from being used by an > attacker as > renegotiations with a vulnerable server? Not connecting to a vulnerable server would. In the web browser scenario, if I know that the HTTPS servers I use for serious purposes are not vulnerable (i.e. don't allow renegotiation, other than possibly with the updated renegotiation protocol), I'm fine. When an HTTP page points me to an HTTPS page that I haven't heard of before, where I wouldn't even bother to verify the certificate's subject name or the hostname, then I don't care at all: I don't know if the entity that owns the certificate is who I think is running the site anyway. Maybe a "Man-in-the-Middle" style attacker is handling all my connections and forwarding them to the real server in TLS renegotiation handshakes -- so what? The attacker could just as well have directed me to another domain for which they have a certificate. If there's no active attacker, I'm fine to the extent that it's possible: my traffic is at least safe from passive eavesdroppers. Without a lenient client, I'll actually lose something if the servers haven't been upgraded because I might have to fall back to an unencrypted connection instead. Bodo
- [TLS] To extend or not to extend Joseph Salowey (jsalowey)
- Re: [TLS] To extend or not to extend Eric Rescorla
- Re: [TLS] To extend or not to extend Bodo Moeller
- Re: [TLS] To extend or not to extend Martin Rex
- Re: [TLS] To extend or not to extend Nicolas Williams
- Re: [TLS] To extend or not to extend Nelson B Bolyard
- Re: [TLS] To extend or not to extend Nelson B Bolyard
- Re: [TLS] To extend or not to extend Bodo Moeller
- Re: [TLS] To extend or not to extend Nelson B Bolyard
- Re: [TLS] To extend or not to extend Bodo Moeller
- Re: [TLS] To extend or not to extend Joseph Salowey (jsalowey)
- Re: [TLS] To extend or not to extend Eric Rescorla