Re: [TLS] Cipher suite values to indicate TLS capability

Adam Langley <agl@google.com> Fri, 08 June 2012 15:18 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C4C221F894E for <tls@ietfa.amsl.com>; Fri, 8 Jun 2012 08:18:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YkYAwgT5yWMr for <tls@ietfa.amsl.com>; Fri, 8 Jun 2012 08:18:09 -0700 (PDT)
Received: from mail-gh0-f172.google.com (mail-gh0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id B63A721F8955 for <tls@ietf.org>; Fri, 8 Jun 2012 08:18:09 -0700 (PDT)
Received: by ghbg16 with SMTP id g16so1552580ghb.31 for <tls@ietf.org>; Fri, 08 Jun 2012 08:18:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-system-of-record; bh=+b7VcuOhmrjACHHg1Q4c0viIIHGWkcmi8bMRAooi9KY=; b=PA8kuEndEVixTwc5OK1rvLiiy3b2IvEOj/Pe5J/v+/GRXyz36TLhRwZPjQXarlX+PQ /TavtfS2YdOhkDayckwAxhYZrk9ztlXxMK3GpWjGBsta+E8cHgHo4yCEKpAr4qoZaZf4 Qb+pA+j/65mcXe9bIFwUiZfCM0jP5ugwNWi3DvtmnUKoEwrH2fbOjAN6Otr1M/mFicIs MimUPRmICiqfVtjZrnlfR1kr2eoFiFEePhlW/KIEY1QJ5ZHrK2QRgZlAkCbQbjNfcABH 38u3eY9eh6kFF/XcpIX4+ZEoIgJmIlEpnvQdPzcZ9ktoxQfnO8QdseicZxIRtitU4yit MI/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-system-of-record:x-gm-message-state; bh=+b7VcuOhmrjACHHg1Q4c0viIIHGWkcmi8bMRAooi9KY=; b=gRrRpMgJbxSxkM7FJe+jsHYeF5lOUrerBtTZqR967O0EpB7c+la12YovJPbcJKJdmp 8v9zpM4dAmI3SYXRd0+g9Te41G4oTHhr9DvgZ6xez6UUQ6wa0KnkC3hv0hTc/u3U2tPN rIce92j0e63JvY2VBjAEQqfVsW3LnoXqSimU2m63oxkZVlUfPGQE929NXZUpi6YojqVF +J7b9tYHkXOvgNFu/TxP2UCWpA4RSqhqeKJfseyTJwGYy7lsmDe19u24eagXjUIPRs3N 0PgouZ6/XQFwJIyOMRYFs8vr9420Qx0dOqtyrJe7CjmZ1Yct4hVrKrATcemhr9HEs1po oc8w==
Received: by 10.50.179.101 with SMTP id df5mr3071221igc.22.1339168689019; Fri, 08 Jun 2012 08:18:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.50.179.101 with SMTP id df5mr3071211igc.22.1339168688876; Fri, 08 Jun 2012 08:18:08 -0700 (PDT)
Received: by 10.231.5.201 with HTTP; Fri, 8 Jun 2012 08:18:08 -0700 (PDT)
In-Reply-To: <4FD1AB25.7070101@gnutls.org>
References: <CAL9PXLwdQctUub5oPx0tepsfveDo0bNKGBUaUBBFeq4u4D0BbA@mail.gmail.com> <CADKevbAnT7AVn_cN+7WcBLfK8G4vkKns3GqQP1QQQ__96SD_6A@mail.gmail.com> <002AA72F-D47E-4C7C-930C-D78A0E48D059@checkpoint.com> <CADKevbBxUGwRtLs=u-pmOHtQ9HP4ERvxpvKJE4BOecLrm8it2g@mail.gmail.com> <CA+cU71nuGwgTc-dHkM_RrVUFZnOOoGkLeq-A2cQoYaobJFQ1zw@mail.gmail.com> <4FD1AB25.7070101@gnutls.org>
Date: Fri, 08 Jun 2012 11:18:08 -0400
Message-ID: <CAL9PXLynKsz+3x9BGOKgN1HdULGFckB3Z1wkRXSzca-C_yzoZA@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: Nikos Mavrogiannopoulos <nmav@gnutls.org>
Content-Type: text/plain; charset="UTF-8"
X-System-Of-Record: true
X-Gm-Message-State: ALoCoQkPex/K1dpljIS5uzMCwhzHO/WfM1KakUKaZeoPCd5cA8LWANLj6IkUcOMaNISPtb7T3seGMXB8htewC/jEOEkLHuHWHIlWHix813LYwBSPOrbJbgNco5hBZdJdFsYb1IdK1Uxi
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Cipher suite values to indicate TLS capability
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jun 2012 15:18:10 -0000

On Fri, Jun 8, 2012 at 3:35 AM, Nikos Mavrogiannopoulos <nmav@gnutls.org> wrote:
> If you want to only prevent against the attacker that wants to rollback
> the session to SSL 3.0, then all you need to do is to perform the proper
> TLS protocol negotiation, which protects against that. If it doesn't
> work warn the user.

Yes, the aim is to prevent an attacker performing a downgrade attack to SSLv3.

Warning the user assumes that the user can understand what we're
trying to tell them which is not true here.

> What happens if we have a buggy server that incorrectly implements the
> fallback detection mechanism? We define another one?

The SCSV for the renegotiation indication extension was deployed
without any serious issues, which is strong evidence that we can
viably deploy other SCSV values.

> If the problem is incorrect implementations, then just fix the incorrect
> implementations. If you cannot, then do not interoperate with them. If
> all major browsers do that, the owners would fix it.

It's not clear, from a global point of view, that the benefits of
avoiding SSLv3 downgrades exceed the cost of updating all these
servers. By definition these servers are unmaintained and probably
very expensive to update. They're also quite numerous.

Certainly, from a moral point of view, we should not be baring the
costs of these server's bugs. By abandoning these buggy devices on the
network, vendors (which presumably turned a profit by doing so) are
imposing externalities on the world. It's basically a form of
pollution.

I understand and share an anger towards these practices but, none the
less, we find ourselves with these barrels of toxic waste lying around
and have to deal with it. It's the cost of an open network and I'd
still choose it over a closed network.


Cheers

AGL