Re: [TLS] An SCSV to stop TLS fallback.

Marsh Ray <> Thu, 05 December 2013 19:22 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 875611AE093 for <>; Thu, 5 Dec 2013 11:22:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FePnFKNKw9ws for <>; Thu, 5 Dec 2013 11:22:13 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 7955F1AE024 for <>; Thu, 5 Dec 2013 11:22:13 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.820.5; Thu, 5 Dec 2013 19:22:08 +0000
Received: from ([]) by ([]) with mapi id 15.00.0820.005; Thu, 5 Dec 2013 19:22:08 +0000
From: Marsh Ray <>
To: Bodo Moeller <>, "" <>
Thread-Topic: [TLS] An SCSV to stop TLS fallback.
Date: Thu, 5 Dec 2013 19:22:08 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <op.w7lfuxrh3dfyax@killashandra.invalid.invalid> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: [2001:4898:80e8:ee31::3]
x-forefront-prvs: 00514A2FE6
x-forefront-antispam-report: SFV:NSPM; SFS:(199002)(189002)(52034003)(81686001)(59766001)(46102001)(76482001)(74316001)(76786001)(77096001)(81816001)(31966008)(74366001)(47976001)(56776001)(76796001)(54316002)(74876001)(74502001)(4396001)(50986001)(76576001)(47736001)(2656002)(79102001)(51856001)(74662001)(87936001)(69226001)(74706001)(81342001)(15975445006)(33646001)(15202345003)(19580405001)(65816001)(77982001)(49866001)(80976001)(87266001)(53806001)(47446002)(85306002)(63696002)(19580395003)(54356001)(81542001)(80022001)(83322001)(83072001)(56816005)(85852002)(90146001)(24736002)(3826001); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB075;; CLIP:2001:4898:80e8:ee31::3; FPR:; RD:InfoNoRecords; A:1; MX:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [TLS] An SCSV to stop TLS fallback.
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Dec 2013 19:22:16 -0000

From: TLS [] On Behalf Of Bodo Moeller
> As I've mentioned, the two options are not mutually exclusive, so I
> think you are constructing a false dichotomy.  We can start to use
> TLS_FALLBACK_SCSV ASAP to improve security *ASAP* for connections to
> *those* servers that do get updated (80% or even just 10% is better
> than 0% -- if only the most important servers that users trust get
> updated, that's something).

It seems to me like there are two scenarios:

Scenario 1.

A vulnerability in *handshake authentication* (stated as before)
is present only in downlevel but mitigated in the highest
protocol version that's common between the legitimate client
and legitimate server.

Thankfully, it's hard to come up with an example for this scenario.
But if it occurs, any protection deployed at the legitimate server
is likely to be rendered useless because the attacker could
impersonate the legitimate server to the legitimate client.
Obviously the attacker would opt not to implement the downgrade
protections in his evil server!

Scenario B.

A vulnerability in *record layer authentication or encryption*
present only in client fallback TLS but mitigated in the highest
protocol version that's common between the legitimate client and
legitimate server.

An example of this scenario is the chosen plaintext attacks on
CBC block padding (e.g., BEAST) that was fixed in 1.1 by sending
an explicit IV. Previous attempts at mitigation had been coded
in OpenSSL years ago for TLS 1.0, but were disabled by default
for compatibility reasons. If an attacker provoked a browser to
fall back to TLS 1.0, he could (in theory) effectively disable
some mitigations in place to prevent this attack.

Protecting against (B) seems like it could be useful, unless it
measurably increases the rate of failed handshakes and delays
in non-attack situations.
Server behavior:
> If TLS_FALLBACK_SCSV appears in ClientHello.cipher_suites and the
> highest protocol version supported by the server is higher than
> the version indicated in ClientHello.client_version, the server
> MUST respond with a inappropriate_fallback alert.

Say the server implements TLS 1.0 reasonably well, but believes
it supports 1.2. Unfortuantely, it will successfully negotiate
the use of 1.2 but then crashes and hang the socket open until
the client gives up.

RFC 5246 TLS 1.2 says:
> TLS clients that wish to negotiate with older servers MAY send any
> value {03,XX} as the record layer version number.  Typical values
> would be {03,00}, the lowest version number supported by the client,
> and the value of ClientHello.client_version.

> ClientHello.client_version
>    The version of the TLS protocol by which the client wishes to
>    communicate during this session.  This SHOULD be the latest
>    (highest valued) version supported by the client.

That sounds to me like the client MAY retry with record.version={3,0},
but it SHOULD still send ClientHello.client_version={3,3}.

So for clients that follow RFC 5246 recommendation, what is gained by
sending TLS_FALLBACK_SCSV? Why couldn't we instead recommend that
servers reject with *any* connection attempt for which
ClientHello.client_version < "highest version supported by the server" ?

But draft-bmoeller-tls-downgrade-scsv-01 suggests that clients in the process
of auto-downgrading behave otherwise:
Client behavior:
> If a client sends a *ClientHello.client_version* containing a lower
> value than the latest (highest-valued) version supported by the
> client, it SHOULD include the TLS_FALLBACK_SCSV cipher suite value
> in ClientHello.cipher_suites.

I.e., clients are *lying* about the actual highest version of the
protocol they support and they're doing so against the
SHOULD-level recommendation of the TLS RFC's.

The weakness I see is in draft-bmoeller-tls-downgrade-scsv-01
is that servers are not actually in a position to know the highest
protocol version that the client supports.

Thus a server would have to refuse *any* connection for which the
client sends TLS_FALLBACK_SCSV set. Why? Because the server must
consider the unfortunate possibility that some infernal middlebox
is intolerant to TLS 1.3! (or any future version that the client
may support).

The attacker laughs his ass off as browsers and servers are stuck
in a tangled web of little lies mostly built on good intentions.

Sending a flag to say "oh by the way I'm lying about my highest
version" is not a complete fix.

I only see one correct solution: ripping out this auto-downgrade
logic from clients and putting these broken servers and middleboxes
on notice that they have no place on a secure network.

Only then will environment begin to heal and as it does page load
times would become a bit faster.

- Marsh