Re: [TLS] An SCSV to stop TLS fallback.

Watson Ladd <watsonbladd@gmail.com> Sat, 07 December 2013 06:32 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7BE31AE244 for <tls@ietfa.amsl.com>; Fri, 6 Dec 2013 22:32:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8B88mLzxps-l for <tls@ietfa.amsl.com>; Fri, 6 Dec 2013 22:32:57 -0800 (PST)
Received: from mail-we0-x234.google.com (mail-we0-x234.google.com [IPv6:2a00:1450:400c:c03::234]) by ietfa.amsl.com (Postfix) with ESMTP id 59C3F1ADF23 for <tls@ietf.org>; Fri, 6 Dec 2013 22:32:57 -0800 (PST)
Received: by mail-we0-f180.google.com with SMTP id t61so1525421wes.39 for <tls@ietf.org>; Fri, 06 Dec 2013 22:32:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=t84pCZlHffACG6WPBMHNKD2M4QINmv2KmoXvhVFJsXU=; b=FXx6sS53qCFW3HdFFLF2NfZ3QvXnUIfY5BVeTJJL4KoVvWciTD9CSdHw9gmR9PhgD+ stqJb0IMTFgm3rSmzuevXmk4EIpWmrt/8H+066gImcDsdMGd4iblkZ3JUFbeVc6A1CtV z+ylKCmyL6NL4xTyh2t9oQGM8ZozLpKhHHtaSaQvJFEgua8OZcyTV5U5Hf0krHN//Iuq +56zmPhcZbeXa2V08uLoGIyBtk2diUoFAgNx1arWNtHjOVbYoPb0I5+FwE+poOTJkxqu UCComYJQ+AV0BacKrSYEDuD1L437vA+CT6J5Wraj1YoIv3tDrifXr1YHnvl8yAuKi7jQ 3T6g==
MIME-Version: 1.0
X-Received: by 10.194.48.115 with SMTP id k19mr25990802wjn.47.1386397972829; Fri, 06 Dec 2013 22:32:52 -0800 (PST)
Received: by 10.194.242.131 with HTTP; Fri, 6 Dec 2013 22:32:52 -0800 (PST)
In-Reply-To: <20131207042232.3498C1AB40@ld9781.wdf.sap.corp>
References: <52A21B4B.2000301@fifthhorseman.net> <20131207042232.3498C1AB40@ld9781.wdf.sap.corp>
Date: Fri, 6 Dec 2013 22:32:52 -0800
Message-ID: <CACsn0cnOoeELzdaKBJcD4cagXCy+OkT+WU3z4MAt1sPJuq7PCw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: mrex@sap.com
Content-Type: text/plain; charset=UTF-8
Cc: IETF TLS WG <tls@ietf.org>
Subject: Re: [TLS] An SCSV to stop TLS fallback.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Dec 2013 06:32:59 -0000

To clarify.
>
> Btw. AES128-CBC-SHA1 is more secure than AES128-GCM/-CCM, so the only
> thing the client might be "loosing" is a little performance, and
> that AEAD can not currently be negotiated and used unless
> ClientHello.client_version is set to { 0x03, 0x03 } is a silly defect
> of the specification(s) that could be easily fixed.
I am assuming you are discussing the modes as specified and
implemented in TLS? In that case you are dead wrong.
Lucky 13, BEAST, and even if we drop all that no protocol depending
both on SHA1 and AES can be stronger than one depending
on AES alone.
Sincerely,
Watson Ladd