Re: [TLS] An SCSV to stop TLS fallback.
Marsh Ray <maray@microsoft.com> Thu, 05 December 2013 19:22 UTC
Return-Path: <maray@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 875611AE093 for <tls@ietfa.amsl.com>; Thu, 5 Dec 2013 11:22:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FePnFKNKw9ws for <tls@ietfa.amsl.com>; Thu, 5 Dec 2013 11:22:13 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0210.outbound.protection.outlook.com [207.46.163.210]) by ietfa.amsl.com (Postfix) with ESMTP id 7955F1AE024 for <tls@ietf.org>; Thu, 5 Dec 2013 11:22:13 -0800 (PST)
Received: from BY2PR03MB074.namprd03.prod.outlook.com (10.255.241.154) by BY2PR03MB075.namprd03.prod.outlook.com (10.255.241.155) with Microsoft SMTP Server (TLS) id 15.0.820.5; Thu, 5 Dec 2013 19:22:08 +0000
Received: from BY2PR03MB074.namprd03.prod.outlook.com ([169.254.12.17]) by BY2PR03MB074.namprd03.prod.outlook.com ([169.254.12.159]) with mapi id 15.00.0820.005; Thu, 5 Dec 2013 19:22:08 +0000
From: Marsh Ray <maray@microsoft.com>
To: Bodo Moeller <bmoeller@acm.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] An SCSV to stop TLS fallback.
Thread-Index: AQHO6jYL3OWisNV4bUWeT9bwHT1KGJo2nY0AgAAA2oCAABDBgIABFMQAgAEyeoCAAExnAIABUZeAgAjIOYCAAHtygIAAmWiAgAADqYCAAAINgIAANHGAgAAjVoCAALN2AIAAhohQ
Date: Thu, 05 Dec 2013 19:22:08 +0000
Message-ID: <b6717ff7f2b94f4dbae2bc99dad7c2ec@BY2PR03MB074.namprd03.prod.outlook.com>
References: <CAL9PXLzWPY5o2SeV=kUPWxznkw+3cmpbMpYifCebfqd48VW9UA@mail.gmail.com> <CACsn0ckuupJaNKXGjP63LfZiDsV5FLOqfk902O9i1oheqtAAhA@mail.gmail.com> <CAL9PXLxueY_k0XWgTrqVxqXDgvCRhAW5UEa8YjU9_rnuZ6otTA@mail.gmail.com> <CAL2p+8TXJVmnb-v3xH6uzW+rpZ+v8J65TjO32__O3ZofQiwSig@mail.gmail.com> <CAL9PXLwKxF14CUNmN=-P6mhcr+xcGw0_Aaq7amdBXZKUsrKsKA@mail.gmail.com> <CADMpkcLRNmmoMOpJ9QVFPMEbpSyu39afipWUv4Du-assHoC1rw@mail.gmail.com> <CAL9PXLx0+bYn_KXKhvFz=D_jXfctdVihaXnj=SqB6EeEqRLOSg@mail.gmail.com> <CADMpkcKvXxHwj+Rj_j8qF84aEbWJiBiXnk9t1qfh7NychraZcQ@mail.gmail.com> <CALTJjxEDXsmdzY4+OH2AFcYfMW5zY=V4PzQK3hqB1WrqjRJB+g@mail.gmail.com> <CADMpkcJO8xZ41DDnofPinm2SMkhONW7w+cODGwnVpJtB5o8OqQ@mail.gmail.com> <CALTJjxGTmSPRNWfbRrpkFQb3nBwY63fUros+4fLsXjum=q3urA@mail.gmail.com> <529F7E9D.80302@elzevir.fr> <CAL9PXLwVQ=GmZXGrh4+VEd-u1dhhvThKHfVf0qRShcR+LdExTQ@mail.gmail.com> <f30ced5319a9451080562a1d2d8004f8@BY2PR03MB074.namprd03.prod.outlook.com> <op.w7lfuxrh3dfyax@killashandra.invalid.invalid> <CADMpkcKGs_=Skd2_NzdyNvQB2WachTtBGNPx+5QHxwRhQ7Ln_w@mail.gmail.com>
In-Reply-To: <CADMpkcKGs_=Skd2_NzdyNvQB2WachTtBGNPx+5QHxwRhQ7Ln_w@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:ee31::3]
x-forefront-prvs: 00514A2FE6
x-forefront-antispam-report: SFV:NSPM; SFS:(199002)(189002)(52034003)(81686001)(59766001)(46102001)(76482001)(74316001)(76786001)(77096001)(81816001)(31966008)(74366001)(47976001)(56776001)(76796001)(54316002)(74876001)(74502001)(4396001)(50986001)(76576001)(47736001)(2656002)(79102001)(51856001)(74662001)(87936001)(69226001)(74706001)(81342001)(15975445006)(33646001)(15202345003)(19580405001)(65816001)(77982001)(49866001)(80976001)(87266001)(53806001)(47446002)(85306002)(63696002)(19580395003)(54356001)(81542001)(80022001)(83322001)(83072001)(56816005)(85852002)(90146001)(24736002)(3826001); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB075; H:BY2PR03MB074.namprd03.prod.outlook.com; CLIP:2001:4898:80e8:ee31::3; FPR:; RD:InfoNoRecords; A:1; MX:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Subject: Re: [TLS] An SCSV to stop TLS fallback.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2013 19:22:16 -0000
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Bodo Moeller > As I've mentioned, the two options are not mutually exclusive, so I > think you are constructing a false dichotomy. We can start to use > TLS_FALLBACK_SCSV ASAP to improve security *ASAP* for connections to > *those* servers that do get updated (80% or even just 10% is better > than 0% -- if only the most important servers that users trust get > updated, that's something). It seems to me like there are two scenarios: Scenario 1. A vulnerability in *handshake authentication* (stated as before) is present only in downlevel but mitigated in the highest protocol version that's common between the legitimate client and legitimate server. Thankfully, it's hard to come up with an example for this scenario. But if it occurs, any protection deployed at the legitimate server is likely to be rendered useless because the attacker could impersonate the legitimate server to the legitimate client. Obviously the attacker would opt not to implement the downgrade protections in his evil server! Scenario B. A vulnerability in *record layer authentication or encryption* present only in client fallback TLS but mitigated in the highest protocol version that's common between the legitimate client and legitimate server. An example of this scenario is the chosen plaintext attacks on CBC block padding (e.g., BEAST) that was fixed in 1.1 by sending an explicit IV. Previous attempts at mitigation had been coded in OpenSSL years ago for TLS 1.0, but were disabled by default for compatibility reasons. If an attacker provoked a browser to fall back to TLS 1.0, he could (in theory) effectively disable some mitigations in place to prevent this attack. Protecting against (B) seems like it could be useful, unless it measurably increases the rate of failed handshakes and delays in non-attack situations. http://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-01#section-3 Server behavior: > If TLS_FALLBACK_SCSV appears in ClientHello.cipher_suites and the > highest protocol version supported by the server is higher than > the version indicated in ClientHello.client_version, the server > MUST respond with a inappropriate_fallback alert. Say the server implements TLS 1.0 reasonably well, but believes it supports 1.2. Unfortuantely, it will successfully negotiate the use of 1.2 but then crashes and hang the socket open until the client gives up. RFC 5246 TLS 1.2 says: http://tools.ietf.org/html/rfc5246#appendix-E > TLS clients that wish to negotiate with older servers MAY send any > value {03,XX} as the record layer version number. Typical values > would be {03,00}, the lowest version number supported by the client, > and the value of ClientHello.client_version. and http://tools.ietf.org/html/rfc5246#section-7.4.1.2 > ClientHello.client_version > The version of the TLS protocol by which the client wishes to > communicate during this session. This SHOULD be the latest > (highest valued) version supported by the client. That sounds to me like the client MAY retry with record.version={3,0}, but it SHOULD still send ClientHello.client_version={3,3}. So for clients that follow RFC 5246 recommendation, what is gained by sending TLS_FALLBACK_SCSV? Why couldn't we instead recommend that servers reject with *any* connection attempt for which ClientHello.client_version < "highest version supported by the server" ? But draft-bmoeller-tls-downgrade-scsv-01 suggests that clients in the process of auto-downgrading behave otherwise: http://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-01#section-4 Client behavior: > If a client sends a *ClientHello.client_version* containing a lower > value than the latest (highest-valued) version supported by the > client, it SHOULD include the TLS_FALLBACK_SCSV cipher suite value > in ClientHello.cipher_suites. I.e., clients are *lying* about the actual highest version of the protocol they support and they're doing so against the SHOULD-level recommendation of the TLS RFC's. The weakness I see is in draft-bmoeller-tls-downgrade-scsv-01 is that servers are not actually in a position to know the highest protocol version that the client supports. Thus a server would have to refuse *any* connection for which the client sends TLS_FALLBACK_SCSV set. Why? Because the server must consider the unfortunate possibility that some infernal middlebox is intolerant to TLS 1.3! (or any future version that the client may support). The attacker laughs his ass off as browsers and servers are stuck in a tangled web of little lies mostly built on good intentions. Sending a flag to say "oh by the way I'm lying about my highest version" is not a complete fix. I only see one correct solution: ripping out this auto-downgrade logic from clients and putting these broken servers and middleboxes on notice that they have no place on a secure network. Only then will environment begin to heal and as it does page load times would become a bit faster. - Marsh
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Andy Wilson
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Trevor Perrin
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Trevor Perrin
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Brian Smith
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Jack Lloyd
- Re: [TLS] An SCSV to stop TLS fallback. Manger, James H
- Re: [TLS] An SCSV to stop TLS fallback. Wan-Teh Chang
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Wan-Teh Chang
- Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Marsh Ray
- Re: [TLS] An SCSV to stop TLS fallback. Douglas Stebila
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. James Cloos
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Marsh Ray
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Daniel Kahn Gillmor
- Re: [TLS] An SCSV to stop TLS fallback. Brian Smith
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Yaron Sheffer
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Yaron Sheffer
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller