Re: [TLS] A not-so crazy idea

Nicolas Williams <Nicolas.Williams@sun.com> Sun, 15 November 2009 20:08 UTC

Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9D2C03A680F for <tls@core3.amsl.com>; Sun, 15 Nov 2009 12:08:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.793
X-Spam-Level:
X-Spam-Status: No, score=-4.793 tagged_above=-999 required=5 tests=[AWL=1.253, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gKPoLntojkBE for <tls@core3.amsl.com>; Sun, 15 Nov 2009 12:08:11 -0800 (PST)
Received: from brmea-mail-1.sun.com (brmea-mail-1.Sun.COM [192.18.98.31]) by core3.amsl.com (Postfix) with ESMTP id 951F33A67D6 for <tls@ietf.org>; Sun, 15 Nov 2009 12:08:10 -0800 (PST)
Received: from dm-central-01.central.sun.com ([129.147.62.4]) by brmea-mail-1.sun.com (8.13.6+Sun/8.12.9) with ESMTP id nAFK89Mq024388 for <tls@ietf.org>; Sun, 15 Nov 2009 20:08:09 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-01.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id nAFK88po018800 for <tls@ietf.org>; Sun, 15 Nov 2009 13:08:08 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id nAFJuY4h021074; Sun, 15 Nov 2009 13:56:34 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id nAFJuXvb021073; Sun, 15 Nov 2009 13:56:33 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Sun, 15 Nov 2009 13:56:33 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Michael D'Errico <mike-list@pobox.com>
Message-ID: <20091115195633.GV1105@Sun.COM>
References: <200911150230.nAF2USpK019975@fs4113.wdf.sap.corp> <4AFF6EFA.6080508@pobox.com> <4AFF7071.9050102@extendedsubset.com> <4AFF77B1.1000106@jacaranda.org> <4AFF7EC3.8060805@pobox.com> <20091115173157.GR1105@Sun.COM> <4B004AE7.9000305@pobox.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4B004AE7.9000305@pobox.com>
User-Agent: Mutt/1.5.7i
Cc: tls@ietf.org
Subject: Re: [TLS] A not-so crazy idea
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2009 20:08:11 -0000

On Sun, Nov 15, 2009 at 10:39:35AM -0800, Michael D'Errico wrote:
> Nicolas Williams wrote:
> >On Sat, Nov 14, 2009 at 08:08:35PM -0800, Michael D'Errico wrote:
> >>Here's a crazy idea: we could define a completely incompatible change
> >>to the way Finished messages are calculated even on initial handshakes.
> >
> >Not on initial.  My proposal is to do it only on re-negotiate.
> 
> Doing it on initial is necessary to protect clients when the server is
> not patched.
> 
> Remember that the attack happens on the client's INITIAL handshake!
> We need to protect that handshake, and no other proposal does that
> reliably.  Simply finishing the initial handshake completes the attack.

True.  The server can always screw the client anyways, so the client has
to trust server correctness, but, atleast in this case it'd be nice to
have a critical indication in the initial handshake.  That can be done
with or without extensions, but if without extensions then clients will
need to do the ugly fallback dance.

Nico
--