Re: [TLS] simplistic renego protection
Michael D'Errico <mike-list@pobox.com> Wed, 18 November 2009 16:19 UTC
Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3D1643A6961 for <tls@core3.amsl.com>; Wed, 18 Nov 2009 08:19:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.363
X-Spam-Level:
X-Spam-Status: No, score=-1.363 tagged_above=-999 required=5 tests=[AWL=-1.064, BAYES_00=-2.599, MANGLED_TOOL=2.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F3uO47ejoDuh for <tls@core3.amsl.com>; Wed, 18 Nov 2009 08:19:30 -0800 (PST)
Received: from sasl.smtp.pobox.com (a-pb-sasl-sd.pobox.com [64.74.157.62]) by core3.amsl.com (Postfix) with ESMTP id 185C63A692B for <tls@ietf.org>; Wed, 18 Nov 2009 08:19:30 -0800 (PST)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id 5AE069F50A for <tls@ietf.org>; Wed, 18 Nov 2009 11:19:28 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=ET0goXptrvrn cRzGCV5xfNmZ7I8=; b=oTaVn2pSh7M1NnhQIIv1uMLBmqnn2rJClh+2JuORFAhO pmoteMnvq93KhgjkUmI1qydIE9e+0ZE2dAw/8PBHLDb0A5PIpQr/SH1bm+tJAPVA Pd+OxbfWYzAlxh8VUjIe3N89bfUlC17n3ED/vyGbCHWD6cPHmLhVbC3q8n8Kyl8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=A69gE4 T74n/pw9YiCEBP3J3NOtCVjLizoFifitwyWS2HvbscQ6zjp00pycfFqWF4LIdBE+ ibuc16h42xEy18vADu7YmfAO93OdTboPu3AV2BSrJsspyh4hV+nnRBsV1zjD1LT2 SXuZ51zzJ2yil9FGo+RSyJqtWKHk5SVrLYaZo=
Received: from a-pb-sasl-sd.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTP id 5782D9F509 for <tls@ietf.org>; Wed, 18 Nov 2009 11:19:28 -0500 (EST)
Received: from administrators-macbook-pro.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-sd.pobox.com (Postfix) with ESMTPSA id DCA689F508 for <tls@ietf.org>; Wed, 18 Nov 2009 11:19:27 -0500 (EST)
Message-ID: <4B041ED9.7080401@pobox.com>
Date: Wed, 18 Nov 2009 08:20:41 -0800
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: tls@ietf.org
References: <200911161725.nAGHPWaA014181@fs4113.wdf.sap.corp> <089F31C221374096B0FE619F@446E7922C82D299DB29D899F> <4B022EBB.5030108@pobox.com> <808FD6E27AD4884E94820BC333B2DB774F30FE106F@NOK-EUMSG-01.mgdnok.nokia.com>
In-Reply-To: <808FD6E27AD4884E94820BC333B2DB774F30FE106F@NOK-EUMSG-01.mgdnok.nokia.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: 2528DBC8-D45E-11DE-922E-EF34BBB5EC2E-38729857!a-pb-sasl-sd.pobox.com
Subject: Re: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2009 16:19:31 -0000
Pasi.Eronen@nokia.com wrote: > It seems many of the drawbacks of tls-renegotiation-00 you mention > are in fact addressed (to some degree) in version -01? (mainly > by including the "magic cipher suite") Compared to -01, what do > you think the main differences are? If you include a magic cipher suite, then you don't need to send *anything* else from client to server. This is what the alternative does that I implemented yesterday. The contents of the extension do not need to be transmitted over the wire since both peers know what it should contain. As long as that information gets added to the Finished message calculation (true in both proposals), the security hole is patched. Plus I believe the magic cipher suite in RI-01 is only for fallback behavior. The very fact that fallback behavior needs to be even considered in RI is a showstopper in my opinion. The alternative does not require any of that. Mike > Best regards, > Pasi > (not wearing any hats) > >> -----Original Message----- >> From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of >> ext Michael D'Errico >> Sent: 17 November, 2009 07:04 >> To: tls@ietf.org >> Subject: Re: [TLS] simplistic renego protection >> >>> If you want your alternative proposal to be considered, submit an >>> Internet draft and get some running code and feedback from >>> implementations showing your proposal would deploy protection to more >>> users than draft-rescorla-tls-renegotiation-00. Then you may sway >>> people to your viewpoint. >> Here is how draft-rescorla-tls-renegotiation-00 fails to protect the >> most people: >> >> - there are so many interoperability problems with TLS extensions >> that even the author of the draft suggests that a "lenient"[*] >> client not send the extension on its initial connection >> >> - there will be a transition period where some servers absolutely >> need to continue allowing unpatched clients to perform the current >> vulnerable renegotiation. >> >> - a lenient client's handshake without the RI extension looks just >> like an unpatched client that these unfortunate servers need to >> continue supporting >> >> - a man-in-the-middle can take advantage of these three points to >> victimize a patched client talking to a patched server! >> >> Just today many of us have converged on an alternate solution that does >> not have this serious problem. Instead of using extensions with all >> the myriad problems, the only bits-on-the-wire change is to include a >> single special cipher suite that signals to the server that the client >> wishes to use a new calculation of the Finished messages that includes >> the verify_data from the previous handshake. I suggested that an alert >> message could be used for the server to acknowledge back to the client. >> >> This uses only features that are present in SSLv3, so it is much more >> likely to be implemented quickly and correctly, and it does not require >> implementations to add any code for extension processing if they don't >> already support extensions. It also protects the lenient client and >> unfortunate servers above since there is no reason not to include the >> magic cipher suite in ALL handshakes. >> >> Here is a pointer to a summary of the proposal: >> >> http://www.ietf.org/mail-archive/web/tls/current/msg04393.html >> >> I am not a spec. writer, so someone else should write it up. If it is >> adopted I will implement it in my test server in short order for anyone >> to test against. >> >> Mike >> >> >> [*] a lenient client is one that would connect to any server regardless >> of whether it is patched or not. Since there is a not-insignificant >> chance that a server will barf on the use of extensions, and the >> lenient >> client wouldn't abort the handshake even if the extension is not >> returned by the server, it is less painful to just do what's always >> been done. >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >
- Re: [TLS] simplistic renego protection Chris Newman
- [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Joseph Salowey (jsalowey)
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Nelson B Bolyard
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection peter.robinson
- Re: [TLS] simplistic renego protection Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] simplistic renego protection Stephen Farrell
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Nasko Oskov
- Re: [TLS] simplistic renego protection Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Yair Elharrar
- Re: [TLS] simplistic renego protection Steve Dispensa
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Robert Dugal
- Re: [TLS] simplistic renego protection Pasi.Eronen
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Simon Josefsson
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Nasko Oskov
- Re: [TLS] simplistic renego protection Nelson B Bolyard
- Re: [TLS] simplistic renego protection Nelson B Bolyard
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Nelson B Bolyard
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- [TLS] Definition of "lenient server" David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Ben Laurie
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Bill Frantz
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Ben Laurie
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Ben Laurie
- Re: [TLS] simplistic renego protection Pasi.Eronen
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Pasi.Eronen
- Re: [TLS] simplistic renego protection Yngve Nysaeter Pettersen
- Re: [TLS] simplistic renego protection Peter Gutmann
- Re: [TLS] simplistic renego protection Kyle Hamilton