Re: [TLS] consensus on backwards compatibility changes

Dave Garrett <davemgarrett@gmail.com> Fri, 13 February 2015 03:28 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F31091A00FB for <tls@ietfa.amsl.com>; Thu, 12 Feb 2015 19:28:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iAeOV0J5yCr8 for <tls@ietfa.amsl.com>; Thu, 12 Feb 2015 19:28:04 -0800 (PST)
Received: from mail-qc0-x233.google.com (mail-qc0-x233.google.com [IPv6:2607:f8b0:400d:c01::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B0131A00FC for <tls@ietf.org>; Thu, 12 Feb 2015 19:28:04 -0800 (PST)
Received: by mail-qc0-f179.google.com with SMTP id r5so12048230qcx.10 for <tls@ietf.org>; Thu, 12 Feb 2015 19:28:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=tLX0Bof8kEXGP8B+h4i2wt1XWru+pU7IJDmzYF3Zb3E=; b=TwJBCnf9w1r/0G0Zhz9KxfVRfjz/5IYrOJ0zWvgzFUqcZzt4Rz04lYlAKLnGbstmgs JfnARNuWmCfw5KfUE8F3TbWpWC7NS0ejZpud/RDmhReT2qDa3Rg5l2+AxJmxvp6rcmXt 0HRUXnzwGIC3ei3KIOsXC3h1gG8ErJsECJOTtdY0hZ2NTMjdYcQByZv57WvQMgXmtDNJ yFXjb8fOaCBbWEMKyt79WFT5q0++2Pe4wYQcRvSIekCbPRoJ5ZypJ+e8Degv7N/xuVDD uMBUkNwhIydeOkk87W5gtl0uyUIX8y+rLj/zqM0Byck6n7P1fA03NsCEtY8J6idT6ZfX VTiA==
X-Received: by 10.141.28.65 with SMTP id f62mr1321285qhe.90.1423798083722; Thu, 12 Feb 2015 19:28:03 -0800 (PST)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id w5sm5974939qas.41.2015.02.12.19.28.03 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 12 Feb 2015 19:28:03 -0800 (PST)
From: Dave Garrett <davemgarrett@gmail.com>
To: Michael Clark <michael@metaparadigm.com>
Date: Thu, 12 Feb 2015 22:28:01 -0500
User-Agent: KMail/1.13.5 (Linux/2.6.32-71-generic-pae; KDE/4.4.5; i686; ; )
References: <201412300503.03923.davemgarrett@gmail.com> <201502121714.54235.davemgarrett@gmail.com> <54DD6065.8000205@metaparadigm.com>
In-Reply-To: <54DD6065.8000205@metaparadigm.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201502122228.02125.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Egvri83FuGu44cwEiZVnhUMrkME>
Cc: "TLS@ietf.org \(tls@ietf.org\)" <tls@ietf.org>
Subject: Re: [TLS] consensus on backwards compatibility changes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Feb 2015 03:28:07 -0000

On Thursday, February 12, 2015 09:24:37 pm Michael Clark wrote:
> * Spec can be explicit that it is NOT RECOMMENDED for TLSv1.3 clients to
> negotiate SSLv3 { 3, 0 } not to be conflated with the record layer lower
> bound.

https://tlswg.github.io/tls13-spec/#rfc.appendix.E.2

SSL negotiation total prohibition was committed earlier today.

> * Believe ClientHello { 3, 0 } { 3, 4 } may be more guarded.

{3,1} is current practice for some clients at the moment. General goal is to fix it to something static that works and makes sense. If we wish to avoid information leakage, the best value is whatever is already used commonly.

> prefer it to the minimum supported
> backwards compatible record layer version

Agreed. It depends on if you consider SSL3 or TLS1 to be that minimum.

> * { 3, 1 } can be regarded as the binary compatibility pivot point due
> to its extension support. In that case I favor { 3, 1 }

My reasoning as well.

Either version number is acceptable. The "best" value could be empirically determined by surveying servers for which gets the least intolerance when attempting to negotiate 1.3.

> 2.) "Negotiating with buggy servers"
> 
> * Primary observation. This section is at odds with the consensus for
> TLSv1.3 implementation to not negotiate anything lower than TLSv1.0 { 3,
> 1 } with >= TLSv1.2.
> * While the protocol lower bound may not be in scope for the TLSv1.3
> spec; the security concern for bugger servers should be; a small number
> of buggy servers lead to clients with attack vectors
> * Buggy servers should not be named or supported in a security protocol
> draft.
> 
> As an observer I would prefer to see this text changed from this:
> 
>     "and may require multiple connection attempts by the client."
> 
> to something like this:
> 
>     "and may require multiple connection attempts by the client, however
> it is NOT RECOMMENDED that clients make multiple connection attempts as
> this provides a vector for downgrade attacks"

That block of text is pre-existing, just moved. A NOT RECOMMENDED line sounds appropriate if nobody objects. Insecure fallback is being phased out by Mozilla, at least, and it was never really a good idea.

Alternatively, I could just drop the whole paragraph/subsection. This set of changes are to attempt to address this concern better, so maybe they're sufficient without this buggy servers bit?


Dave