IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Andrei Popov <Andrei.Popov@microsoft.com> Fri, 26 September 2014 18:33 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C90641A00EF for <tls@ietfa.amsl.com>; Fri, 26 Sep 2014 11:33:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ePhYEEQeELPf for <tls@ietfa.amsl.com>; Fri, 26 Sep 2014 11:33:11 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0764.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::764]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F58C1A0048 for <tls@ietf.org>; Fri, 26 Sep 2014 11:33:11 -0700 (PDT)
Received: from BL2PR03MB419.namprd03.prod.outlook.com (10.141.92.18) by BL2PR03MB418.namprd03.prod.outlook.com (10.141.92.13) with Microsoft SMTP Server (TLS) id 15.0.1034.13; Fri, 26 Sep 2014 18:32:48 +0000
Received: from BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) by BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) with mapi id 15.00.1034.003; Fri, 26 Sep 2014 18:32:48 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Adam Langley <agl@imperialviolet.org>
Thread-Topic: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
Thread-Index: AQHP2T5a8EAtsaADg0ykrefiCf9Yj5wTq6MwgAAKvgCAAAKHEA==
Date: Fri, 26 Sep 2014 18:32:48 +0000
Message-ID: <ceda19c3fdee4b488cff118d34f44afe@BL2PR03MB419.namprd03.prod.outlook.com>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <e2ae0847d4ef49c48fe972adead9bbcc@BL2PR03MB419.namprd03.prod.outlook.com> <CAMfhd9UQ1wHFMJpLcxX6o3YDcLn_Az_vy7PfB9QUwyjHrrPaJQ@mail.gmail.com>
In-Reply-To: <CAMfhd9UQ1wHFMJpLcxX6o3YDcLn_Az_vy7PfB9QUwyjHrrPaJQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [2001:4898:80e8:ed31::2]
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;SRVR:BL2PR03MB418;
x-forefront-prvs: 03468CBA43
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(13464003)(189002)(199003)(51704005)(24454002)(230783001)(86612001)(15975445006)(92566001)(110136001)(31966008)(106116001)(76482002)(87936001)(54356999)(64706001)(106356001)(74316001)(20776003)(76176999)(85306004)(76576001)(33646002)(85852003)(101416001)(50986999)(83072002)(90102001)(107046002)(95666004)(83322001)(19580405001)(77982003)(108616004)(97736003)(79102003)(74662003)(80022003)(10300001)(105586002)(21056001)(2656002)(81342003)(4396001)(120916001)(86362001)(46102003)(99396003)(81542003)(19580395003)(99286002)(74502003)(3826002)(24736002); DIR:OUT; SFP:1102; SCL:1; SRVR:BL2PR03MB418; H:BL2PR03MB419.namprd03.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/GA9t73Xx9JsBbIj4M70omaqryno
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Sep 2014 18:33:15 -0000

> But stepping down is a good idea because you want to lose as few features as possible.
This may well be, but arguably the TLS protocol should not be creating new constraints on the upper SW layers, where it's possible to avoid doing so.

Regardless of what the browser wants to do, the system admin will sometimes disable a specific TLS version machine-wide (or enterprise-wide), e.g. due to version-specific security concerns. I am pointing out that, with the current draft, the browser is forced to not send the SCSV when skipping versions.

Cheers,

Andrei

-----Original Message-----
From: alangley@gmail.com [mailto:alangley@gmail.com] On Behalf Of Adam Langley
Sent: Friday, September 26, 2014 11:05 AM
To: Andrei Popov
Cc: Joseph Salowey (jsalowey); <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

On Fri, Sep 26, 2014 at 10:44 AM, Andrei Popov <Andrei.Popov@microsoft.com> wrote:
> This I-D currently forces clients to do sequential fallbacks, without skipping versions: TLS1.3->TLS1.2->TLS1.1->TLS1.0 will work, but e.g. TLS1.3->TLS1.2->TLS1.0 won't. Clients may want to skip protocol versions in the fallback sequence to reduce latency. Clients may also need to disable arbitrary protocol versions for security reasons.
>
> I see two ways to fix this in the draft:
> 1. Use a TLS extension instead of an SCSV. In the extension, the client could indicate the previously attempted protocol version. The problem with this is that SSL3 ClientHellos are not supposed to have extensions, but we'd like to secure fallbacks to SSL3.
> 2. Use one SCSV value per TLS & SSL protocol version. The client includes the SCSV indicating the previously attempted protocol version. The drawback here is that this creates multiple SCSVs:).
>
> If this problem is not solved, then clients will have no choice but to avoid sending the SCSV when skipping protocol versions, e.g.: TLS1.3(no SCSV)->TLS1.2(with SCSV)->TLS1.0(no SCSV). Which (at least partially) defeats the purpose of the I-D.

We've had the design of an SCSV-per-version before and it didn't really go anywhere. (There is, at least, ekr's draft[1].)

Yes, you have to step down every version. But stepping down is a good idea because you want to lose as few features as possible. If you drop right down to SSLv3 then you loose ECDHE and so on.

It's more latency, but only for the case of very old, broken servers. So be it.

[1] https://github.com/ekr/ietf-drafts/blob/master/draft-rescorla-tls-version-cs.txt


Cheers

AGL

--
Adam Langley agl@imperialviolet.org https://www.imperialviolet.org

v2.43.4 | Report a Bug | By Email | System Status