Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Andrey Jivsov <crypto@brainhub.org> Sun, 19 October 2014 07:44 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 102761A001A for <tls@ietfa.amsl.com>; Sun, 19 Oct 2014 00:44:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qQuf31UUYf2Z for <tls@ietfa.amsl.com>; Sun, 19 Oct 2014 00:44:24 -0700 (PDT)
Received: from resqmta-ch2-03v.sys.comcast.net (resqmta-ch2-03v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:35]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32DAB1A0006 for <tls@ietf.org>; Sun, 19 Oct 2014 00:44:24 -0700 (PDT)
Received: from resomta-ch2-19v.sys.comcast.net ([69.252.207.115]) by resqmta-ch2-03v.sys.comcast.net with comcast id 4vkJ1p0012VvR6D01vkPKF; Sun, 19 Oct 2014 07:44:23 +0000
Received: from [192.168.1.2] ([71.202.164.227]) by resomta-ch2-19v.sys.comcast.net with comcast id 4vkM1p00E4uhcbK01vkNH6; Sun, 19 Oct 2014 07:44:23 +0000
Message-ID: <54436BD5.9020107@brainhub.org>
Date: Sun, 19 Oct 2014 00:44:21 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: Bodo Moeller <bmoeller@acm.org>, "tls@ietf.org" <tls@ietf.org>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <5438CFEA.7000401@brainhub.org> <5440CC7F.1020608@brainhub.org> <CADMpkcLdSCLb5LzBjufVF4h7X=HFPTgHq4fN+zdc6zrM+ijXaA@mail.gmail.com> <54415A1F.3080707@brainhub.org> <CADMpkcKWJ5USybEDMi=RDqR7wwDRUbk-44N+sRp71orZqa8YkQ@mail.gmail.com>
In-Reply-To: <CADMpkcKWJ5USybEDMi=RDqR7wwDRUbk-44N+sRp71orZqa8YkQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------020701080303000108050506"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1413704663; bh=XY4g4YkwsLEsHTUOHOORlZno55ZCYHXdjTjjo2bLa4E=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=hfINKo9jxAhgtKswaq+hYPO2+p8+JK/9OBbO8aNU7JHnVLiXvUhaJkbDtf9OLs0Zo 6tLx0yt76IhtXSYL6/WT6OCga+c41S0e1pl9aokdxUqdtaVf7t1HAbnDi/xjeEUZp6 SrsouGvgJqaa2dPTlgFea+IYQgCBnYBYmLBOiQ8D5+waujjTotOmDJpY4CcamTsrC+ c3D+qJRT40R6a33378vlAxO4KQJdxqXWfZziUMKzDlXZWmtioI+Tk6Ck8YUdgBa7uB kbcvFE7QSU9F9pMVPXAluj7toOpG5I7xIKHnPiI+0QgdYJEfjDl4pd3oRUMJWw4SDE Kdd/lyZEHgNvQ==
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ITXgKNhRB_4yw6dABtXbLfbIig0
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Oct 2014 07:44:31 -0000

On 10/18/2014 05:08 AM, Bodo Moeller wrote:
> Andrey Jivsov <crypto@brainhub.org <mailto:crypto@brainhub.org>>:
>
>     The reality of the Internet today is that TLS 1.1 is viewed as
>     acceptable. Clients treating TLS 1.1 treating it this way too. The
>     draft *requires* to introduce a rejection of TLS 1.1 connection on
>     the server when the server detects the downgrade.
>
>
> According to the draft, this server-side rejection is REQUIRED *if the 
> client sent TLS_FALLBACK_SCSV to request it*. For the client, however, 
> it is merely RECOMMENDED to send TLS_FALLBACK_SCSV in all fallback 
> retries.

Thinking more about it, there are two issues I see with the above: 
"smart client / dumb server" model and SHOULD for the client use of 
TLS_FALLBACK_SCSV.


What was the rationale for the dumb server / smart client design?

Please allow me to suggest that the opposite might be equally viable: a 
client MUST include TLS_FALLBACK_SCSV (with any downgraded negotiation) 
and server SHOULD respond with an inappropriate_fallback alert.

Example. Most often the servers are the custodians of the information / 
content. Servers are managed by professionals and are properly 
maintained. A server security policy might require TLS 1.1 to access the 
content that it serves. When such a server receives a ClientHello with 
TLS 1.0, it might proceed with a handshake, but display an HTML page 
explaining that access was denied due to low security, perhaps adding 
how to remedy the problem. In the end this is more secure: the same 
result of denying access to information, but with a more informative 
message. Neither the server nor the client implementations may find it 
appealing to code a special warning message specifically to flag MiT 
downgrade attack when TLS_FALLBACK_SCSV is used (e.g. to avoid 
false-positives), however, the server may include some of this 
information on the above-mentioned page as well, or choose to send 
inappropriate_fallback alert.

>     My point is that downgrades from TLS1.0 to SSL3.0 is one thing but
>     from TLS1.3 to TLS1.2 is another.
>
>
> You appear to be saying that, carefully weighing the case, a silent 
> fallback to TLS 1.2 can be acceptable. I don't disagree: the spec 
> takes this into account, it's just that it leaves it to the *client* 
> to make this decision, without further *server*-side heuristics 
> interfering with it,.

Thank you for considering this issue, Bodo.
>
> (I think this makes sense because it's the client that decides whether 
> to do fallback retries in the first place. For clients that don't set 
> TLS_FALLBACK_SCSV at all, for example, any server-side enabled 
> protocol version can be negotiated anyway -- the server can't avoid 
> using old versions with such clients other than by disabling them 
> entirely.)

... Yet the server has the content.

Currently the client has SHOULD for TLS_FALLBACK_SCSV. Why is this one 
not MUST (regardless of the server MUST or SHOULD)?

This SHOULD for the client means that the client that implements the 
draft will use some logic to switch between cases:
a) as if doesn't implement the draft
b) client sends TLS_FALLBACK_SCSV with any downgraded negotiation

If client does a), perhaps by interpreting network errors, POODLE 
continues to live.

Is this intended for clients that allow end-users to tweak how SHOULD is 
interpreted?

If we have protocol dance on the client (heuristic #1) and SHOULD 
include TLS_FALLBACK_SCSV  (heuristic #2), this may complicate 
diagnosing this on the server.

I would say (regardless of the server SHOULD or MUST), that one is free 
not to implement the draft on the client. If he does, he MUST send the 
TLS_FALLBACK_SCSV on the downgrade.