Re: [TLS] Third Option?
Yoav Nir <ynir@checkpoint.com> Thu, 17 December 2009 06:58 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C70E13A6817 for <tls@core3.amsl.com>; Wed, 16 Dec 2009 22:58:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 79P9-K49UO-l for <tls@core3.amsl.com>; Wed, 16 Dec 2009 22:58:35 -0800 (PST)
Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by core3.amsl.com (Postfix) with ESMTP id 5C54F3A67B8 for <tls@ietf.org>; Wed, 16 Dec 2009 22:58:35 -0800 (PST)
X-CheckPoint: {4B29D5AC-10002-14201DC2-FFFF}
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id 7FBE429C005; Thu, 17 Dec 2009 08:58:19 +0200 (IST)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id 691D729C002; Thu, 17 Dec 2009 08:58:19 +0200 (IST)
X-CheckPoint: {4B29D5AB-10000-14201DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.32.26]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id nBH6wJT7009453; Thu, 17 Dec 2009 08:58:19 +0200 (IST)
Received: from il-ex01.ad.checkpoint.com ([194.29.32.26]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Thu, 17 Dec 2009 08:58:29 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Ravi Ganesan <ravi@findravi.com>
Date: Thu, 17 Dec 2009 08:58:15 +0200
Thread-Topic: [TLS] Third Option?
Thread-Index: Acp+5lZpzUoC643sSfKABcoBh2+nZA==
Message-ID: <A7CF2975-9462-44CD-80E5-88E5AC4071C2@checkpoint.com>
References: <3561bdcc0912161417j6cdcfe59l1be2131c9ec27da0@mail.gmail.com> <4B296275.8010108@extendedsubset.com> <3561bdcc0912161509j799392d1t2f4f09a7d1184737@mail.gmail.com> <3561bdcc0912161536y5e240e6cqe414c7d4aa2baef8@mail.gmail.com>
In-Reply-To: <3561bdcc0912161536y5e240e6cqe414c7d4aa2baef8@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_A7CF2975946244CD80E588E5AC4071C2checkpointcom_"
MIME-Version: 1.0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Third Option?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2009 06:58:36 -0000
On Dec 17, 2009, at 1:36 AM, Ravi Ganesan wrote: On Wed, Dec 16, 2009 at 2:43 PM, Marsh Ray <marsh@extendedsubset.com<mailto:marsh@extendedsubset.com>> wrote: Ravi Ganesan wrote: > > A third option is to leave renegotiation in, but create an advisory that > explains the semantics; What do you (as a vendor) tell your customers when they know they are vulnerable and call you for a fix? Have TLS 1.3 code ready and tell them to upgrade to it. Asking customers to move to newer release in order to fix security problems is something the market understands. (did not say 'likes'). Except that the browsers they have don't support TLS 1.3 yet. If the TLS 1.3 spec came out today, it would be years (8? 10?) before you can assume that everyone has a supporting browser. However, if you are correct in your impact analysis in your original paper, then an emergency patch is the appropriate response. I am not sure I know enough to agree with your impact analysis, but either way, good job done by your team and Martin on this discovery -- it will make TLS 1.3 better. One stat that might allow us to ascertain immediate impact: If I am a web site who strictly ONLY uses server side SSL (with client auth being handled by passwords, etc.), And, I have ability to turn of renego. Will that do the trick? If so what portion of SSL users fall into this use-case? Yes. Disabling renegotiation on the server side solves the problem, and probably over 95% of users fall into this use case. However, even for them, there are two problems with this solution: - until very recently there was no "disable renegotiation" switch on the various servers. OpenSSL added this to 0.9.8l just last month. Upgrading to OpenSSL 0.9.8l means getting all the code changes between the release you're using and the new OpenSSL version. This might cause you other problems. - There's no signaling that renegotiations are disabled. The browser cannot show me that I'm talking to a secured server.
- [TLS] Third Option? Ravi Ganesan
- Re: [TLS] Third Option? Marsh Ray
- [TLS] Third Option? Ravi Ganesan
- Re: [TLS] Third Option? David-Sarah Hopwood
- Re: [TLS] Third Option? Marsh Ray
- Re: [TLS] Third Option? Yoav Nir
- Re: [TLS] Third Option? Martin Rex
- Re: [TLS] Third Option? Stefan Santesson
- Re: [TLS] Third Option? Kyle Hamilton
- Re: [TLS] Third Option? David-Sarah Hopwood