Re: [TLS] WGLC for "Deprecating TLSv1.0 and TLSv1.1"

[Hubert Kario <hkario@redhat.com>]

On Tuesday, 14 May 2019 16:52:49 CEST Martin Rex wrote:
> Hubert Kario <hkario@redhat.com> wrote:
> > Martin Rex wrote:
> >> Hubert Kario <hkario@redhat.com> wrote:
> >>> MD5 was deprecated and removed by basically every library
> >>> and can't be used in TLS 1.2, I specifically meant SHA1
> >> 
> >> MD5 deprecated ?  Nope, glaring emtpy:
> >>               https://www.rfc-editor.org/errata_search.php?rfc=5246
> >> 
> >> MD5 removed ? Mostly, but several implementors had to be prodded with
> >> 
> >>               with CVE-2015-7575 (SLOTH) to remove it.
> > 
> > I meant in practice
> > 
> >> The real issue at hand is:
> >>   Prohibiting TLSv1.0 and TLSv1.1 is going to result in lots of
> >>   interop problems, while at the same time providing *ZERO*
> >>   security benefit.
> > 
> > that's your opinion, not an established fact
> 
> You got this backwards.
> 
> There is a bold assertion that disabling TLSv1.0 and TLSv1.1 (alone)
> would provide security benefits, but a complete lack of proof.

there are attacks, like BEAST, that TLS 1.0 is vulnerable to that TLS 1.1 and 
TLS 1.2 are not - that's a fact
there are ciphersuites that are invulnerable to Lucky13 and similar style of 
attacks that can not be used with TLS 1.0 or TLS 1.1 - that's a fact

that doesn't sound to me like "ZERO security benefit", and similar issues were 
the reason why we generally don't use SSL2 and SSL3 any more and why RFC 7568 
was published

> On digitally_signed, is proven that TLSv1.2 as defined by rfc5246
> is the weakest of them all.

yes, provided that:
 - MD5 is actually in use
 - or Joux does not hold and MD5+SHA1 is _meaningfully_ stronger[1] than SHA-1 
   alone *and* SHA-1 is actually in use

those are big if's

 1 - where meaningfully = at least by a work factor of 2^10
 
> >>   What *WOULD* provide *HUGE* benefit, would be to remove the
> >>   dangerous "protocol version downgrade dance" from careless
> >>   applications,
> >>   that is the actual problem known as POODLE, because this subverts the
> >>   cryptographic procection of the TLS handshake protocol.
> >>   
> >>   We've known this downgrade dance to be a problem since the discussion
> >>   of what became rfc5746.  Prohibiting automatic protoocol version
> >>   downgrade dances is going to ensure that two communication peers
> >>   that support TLSv1.2 will not negotiate a lower TLS protocol version.
> > 
> > which exact piece of popular software actually still does that?
> > It ain't curl, it ain't Chrome, it ain't Firefox.
> 
> It definitely was implemented in Chrome and Firefox, which is how this
> poor document got onto standards track:

key words: "still" and "was"
 
> The POODLE paper
>    https://www.openssl.org/~bodo/ssl-poodle.pdf
> 
> asserts that many clients doing downgrade dances exist, and at the
> time of publication, this includes Mozilla Firefox, Google Chrome and
> Microsoft Internet Explorer.

either we consider clients that haven't been updated for half a decade now to 
be of importance, then disabling support for old protocol versions has 
meaningful security benefit, or we ignore them as they include insignificant 
percentage of users and are vulnerable to much easier attacks anyway

so, which way is it?

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic