IETF Logo Mail Archive

Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv

Andrei Popov <Andrei.Popov@microsoft.com> Tue, 28 January 2014 20:12 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 522351A045F for <tls@ietfa.amsl.com>; Tue, 28 Jan 2014 12:12:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u3u5hIjxckLY for <tls@ietfa.amsl.com>; Tue, 28 Jan 2014 12:12:06 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1lp0156.outbound.protection.outlook.com [207.46.163.156]) by ietfa.amsl.com (Postfix) with ESMTP id 8DB281A03AA for <tls@ietf.org>; Tue, 28 Jan 2014 12:12:06 -0800 (PST)
Received: from BL2PR03MB419.namprd03.prod.outlook.com (10.141.92.18) by BL2PR03MB418.namprd03.prod.outlook.com (10.141.92.13) with Microsoft SMTP Server (TLS) id 15.0.868.8; Tue, 28 Jan 2014 20:12:02 +0000
Received: from BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) by BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) with mapi id 15.00.0859.020; Tue, 28 Jan 2014 20:12:02 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Yoav Nir <ynir@checkpoint.com>
Thread-Topic: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv
Thread-Index: AQHPGCLYtuT5cbQOIEmjzG1QZtPhb5qY2GuAgAAk7YCAAE8UgIAAB82QgAASrACAAOV7y4AABq0AgABAF0A=
Date: Tue, 28 Jan 2014 20:12:01 +0000
Message-ID: <062f690386314652b30aa8247ec18c0c@BL2PR03MB419.namprd03.prod.outlook.com>
References: <CADMpkcJ4viFwzU9u0uP41Niaopja8PZFowjOALVr3VA1vJ7Uow@mail.gmail.com> <20140128001737.D9D581ABC9@ld9781.wdf.sap.corp> <828b043cac0f4b62875d00f31d2f92e3@BL2PR03MB419.namprd03.prod.outlook.com>, <CAL9PXLxDWUMUq5rJXCHYaFRqX6rYfczN8gJaBRJa=pbkH4YWSA@mail.gmail.com> <a840133f75d0426898462ccef739861f@BL2PR03MB419.namprd03.prod.outlook.com> <ED6ED7E4-3E0C-41B9-A8B3-16C676BCAFAD@checkpoint.com>
In-Reply-To: <ED6ED7E4-3E0C-41B9-A8B3-16C676BCAFAD@checkpoint.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e0:ee43::3]
x-forefront-prvs: 0105DAA385
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(979002)(6009001)(164054003)(24454002)(51704005)(189002)(199002)(377454003)(13464003)(76482001)(81816001)(56776001)(54316002)(85306002)(51856001)(46102001)(53806001)(54356001)(79102001)(83072002)(31966008)(85852003)(81542001)(74662001)(47446002)(74502001)(92566001)(81686001)(76796001)(76786001)(69226001)(65816001)(33646001)(80976001)(76576001)(80022001)(93136001)(93516002)(74706001)(74876001)(74366001)(87266001)(83322001)(19580405001)(81342001)(63696002)(74316001)(561944002)(87936001)(86362001)(19580395003)(4396001)(47736001)(47976001)(50986001)(49866001)(2656002)(77982001)(90146001)(56816005)(94316002)(59766001)(15975445006)(24736002)(3826001)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:BL2PR03MB418; H:BL2PR03MB419.namprd03.prod.outlook.com; CLIP:2001:4898:80e0:ee43::3; FPR:2EFCF137.A8F217CA.BCF25177.8AF49943.20412; InfoNoRecordsMX:1; A:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2014 20:12:09 -0000

Correct, but I'm more concerned about this scenario: suppose a client implements a three-stage fallback: TLS1.2-with-extensions ---> TLS1.0-with-extensions ---> SSLv3.
Suppose TLS1.2-with-extensions got a RST from a TLS1.2-supporting server because there is an interoperability problem, or a middle box problem, or a configuration problem, etc.
The client is now trying TLS1.0-with-extensions + SCSV. Without the SCSV, the handshake may have succeeded, but with SCSV the TLS connection will fail.

>From the standpoint of the browser vendors, this largely defeats the purpose of re-connects. Perhaps a browser could only send the SCSV on the last re-connect, when downgraded to the least secure protocol version (e.g. SSL3). But even this compromise seems unlikely to get deployed.

Cheers,

Andrei

-----Original Message-----
From: Yoav Nir [mailto:ynir@checkpoint.com] 
Sent: Tuesday, January 28, 2014 7:58 AM
To: Andrei Popov
Cc: Adam Langley; tls@ietf.org
Subject: Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv

Well, suppose a client implements a three-stage fallback: TLS1.2-with-extensions--->TLS1.0-with-extensions--->SSLv3.

Suppose TLS1.2-with-extensions got a RST. The client is now trying TLS1.0-with-extensions. If it gets an alert, it will know that it needs to stop. If it gets another RST, it will proceed to try SSLv3, and that's a bad thing, because it should have stopped at TLS 1.0.

I don't think it matters much, because if an attacker can cause a TLS 1.2 session to fail, it can do the same to a TLS 1.0 session. So an attacker can always force the sides to the lowest common denominator. The best this extension can do is to make sure that when they finally do talk to each other at the lowest common denominator, that they recognize that the interference had happened. As long as they don't go below SSLv3, they will know that with the SCSV, regardless of whether the server resets or sends an appropriate alert.

Yoav

On Jan 28, 2014, at 5:41 PM, Andrei Popov <Andrei.Popov@microsoft.com>
 wrote:

> Yes, this makes sense, and the other fatal TLS alerts are defined for similar reasons. Because of Martin's comment, I thought I might be overlooking a security issue with not sending inappropriate_fallback.
> 
> Thanks,
> 
> Andrei
> 
> ________________________________________
> From: Adam Langley <agl@google.com>
> Sent: Monday, January 27, 2014 5:52 PM
> To: Andrei Popov
> Cc: mrex@sap.com; Bodo Moeller; tls@ietf.org
> Subject: Re: [TLS] Call for acceptance of 
> draft-moeller-tls-downgrade-scsv
> 
> On Mon, Jan 27, 2014 at 8:04 PM, Andrei Popov 
> <Andrei.Popov@microsoft.com> wrote:
>> For my understanding: why is this proposal vitally dependent on the server sending inappropriate_fallback alert? If the server receives the SCSV, has a higher protocol version enabled than that in the ClientHello, and quietly aborts the handshake, isn't the downgrade attack thwarted?
> 
> Yes, just closing the connection is good enough for security. The 
> advantage of returning the fatal alert is that a) it stops the 
> fallback process faster and b) the client can report the error that 
> caused the original connection to fail, rather than that the final 
> fallback hit connection closed.
> 
> 
> Cheers
> 
> AGL
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> 
> Email secured by Check Point

v2.23.0 | Report a Bug | By Email