IETF Logo Mail Archive

Re: [TLS] A new TLS version negotiation mechanism

Dave Garrett <davemgarrett@gmail.com> Thu, 12 March 2015 07:26 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A3871A8A9E for <tls@ietfa.amsl.com>; Thu, 12 Mar 2015 00:26:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cvkDgZeLIJpO for <tls@ietfa.amsl.com>; Thu, 12 Mar 2015 00:26:41 -0700 (PDT)
Received: from mail-qg0-x235.google.com (mail-qg0-x235.google.com [IPv6:2607:f8b0:400d:c04::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E65F1A8A87 for <tls@ietf.org>; Thu, 12 Mar 2015 00:26:41 -0700 (PDT)
Received: by qgfh3 with SMTP id h3so15962574qgf.13 for <tls@ietf.org>; Thu, 12 Mar 2015 00:26:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=Bqfy8SMccLZaFZLm0zchA16J+yA2GGisZvmekhFenxk=; b=nm8ja3u4GUQRObVTjmzfuz4K7U/0By7w6MW78M0PIVgISML111d/bXGddofX8mLk3Y O7aC3nd7NvmCaEtoOERMYa/oPK2HhM3VfBUBYgcAyGCWcrpBWgk4pMuSfSFhz6ifYf9/ wDnbn11VGIXY/KzYXOYiWXSpBN9N5SEsBn6jUL5WSa1J4FBSEGqljmk9rQK5hI16qdcN NgnFwOX+2SWCR3PLVuWBVF52VN9O/e/FqJVA8b3/MfIXZcj5eWJcUPD9wPL/XSwS8QEV sxrKMc5TxUms+fJOozitMFbVE1ruAyxcrbj0qymu8b/JwZ0JCzLs1QKgekJsbcA5ibe3 EvAg==
X-Received: by 10.140.165.209 with SMTP id l200mr53881389qhl.84.1426145200455; Thu, 12 Mar 2015 00:26:40 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id 91sm4276403qkw.13.2015.03.12.00.26.39 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 12 Mar 2015 00:26:39 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: Stephen Checkoway <s@pahtak.org>
Date: Thu, 12 Mar 2015 03:26:38 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-71-generic-pae; KDE/4.4.5; i686; ; )
References: <201503081339.47927.davemgarrett@gmail.com> <201503111456.38308.davemgarrett@gmail.com> <D43A19CC-4559-4446-85F2-06A9B6468E07@pahtak.org>
In-Reply-To: <D43A19CC-4559-4446-85F2-06A9B6468E07@pahtak.org>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201503120326.38588.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/FNGdEBT7WizJOF7jCTBv99kdhYQ>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] A new TLS version negotiation mechanism
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2015 07:26:42 -0000

On Thursday, March 12, 2015 01:01:27 am Stephen Checkoway wrote:
> 
> On Mar 11, 2015, at 2:56 PM, Dave Garrett <davemgarrett@gmail.com> wrote:
> 
> > On Tuesday, January 20, 2015 11:01:31 pm Xiaoyin Liu wrote:
> >> (5) Number of sites that are tolerant to (TLS1.3, TLS1.3): 397,152 (93.1%)
> >> (6) Number of sites that need to fallback to (TLS1.0, TLS1.3): 22,461 (5.3%)
> >> (7) Number of sites that need to fallback to (TLS1.0, TLS1.2): 6,352 (1.5%)
> >> (8) Number of sites that need to fallback to (TLS1.0, TLS1.0): 454 (0.1%)
> >> 
> >> The total number of TLS enabled sites is 426,419. TLS 1.3 intolerant sites (7 and 8) are about 1.6%.
> 
> Most of this is about the record layer version

I just wanted to post the full data set here so it wasn't out of context.

> The real data here is that 1.5% of servers are intolerant of 1.3 but tolerate 1.2. So that was (a) and (b) in my list but it's pretty hard to measure (c): servers that aren't maintained or can't be upgraded.
> 
> I remain unconvinced, but others can weigh in.

Let me put it to you this way: ~0.1% of servers are TLS 1.2 intolerant and browser vendors are STILL having trouble dropping insecure fallback, if they are attempting it at all. The TLS 1.3 intolerance problem is over an order of magnitude worse.

To be precise, most of these servers are likely considered maintained and can technically be upgraded, but that doesn't mean they actually will. Starting out with this untamed mess could discourage TLS 1.3 adoption and will encourage browsers to do insecure fallback for TLS 1.3.

For a marginally less hacky route, we could basically just make a better version of SCSV and mandate its use in the TLS 1.3 spec. Simply have a max supported version extension which has nothing other than the max client TLS version in it, include it in every ClientHello, and use the normal version negotiation. If a 1.3 ClientHello fails, an insecure fallback to 1.2 can be done, however a 1.3 server can doublecheck versions and know the first attempt merely failed and 1.3 can actually be negotiated instead. The client would get a 1.3 ServerHello and could continue the connection normally, but note an error somewhere. (whatever dubious security UI indicator the browser uses) This is essentially the existing system with an extension as a backup method, but it enshrines downgraded fallbacks as valid. (we might be ok with that if this is done properly) It does have the benefit of shining a spotlight on broken implementations, though.


Dave

v2.23.0 | Report a Bug | By Email