IETF Logo Mail Archive

Re: [TLS] simplistic renego protection

Martin Rex <mrex@sap.com> Mon, 16 November 2009 17:25 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AFB5B28C1D2 for <tls@core3.amsl.com>; Mon, 16 Nov 2009 09:25:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.837
X-Spam-Level:
X-Spam-Status: No, score=-5.837 tagged_above=-999 required=5 tests=[AWL=0.412, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uOwFUg4ZKEQI for <tls@core3.amsl.com>; Mon, 16 Nov 2009 09:25:42 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id A3DA828C1D1 for <tls@ietf.org>; Mon, 16 Nov 2009 09:25:38 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nAGHPXDC000532 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 16 Nov 2009 18:25:33 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911161725.nAGHPWaA014181@fs4113.wdf.sap.corp>
To: marsh@extendedsubset.com
Date: Mon, 16 Nov 2009 18:25:32 +0100
In-Reply-To: <4B0185D8.70204@extendedsubset.com> from "Marsh Ray" at Nov 16, 9 11:03:20 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal06
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2009 17:25:43 -0000

Marsh Ray wrote:
> 
> Martin Rex wrote:
> > 
> > So you want the IETF to rubber-stamp an obviously inferior approach
> > because you prefered to come up with a solution in secret?
> 
> That is being unfair.
> 
> It was not EKR's decision to work on a fix in secret, it was mine and
> Steve Dispensa's. We thought that we would have a better chance at
> presenting a good fix for the bug along side its disclosure if we
> brought some of the relevant engineering types together at the beginning
> of the process.
> 
> We did tentatively agree on a proposal for an Internet Draft in secret,
> and now we are seeing the limitations of that approach. It would not
> have been anyone's first choice, least of all EKR's.


It is _not_ my intention to critizise that people develop ideas or
protocols outside of the IETF (open or closed group) and then come
to the IETF for standardization.  That's actually quite common and
not a problem.

But when a proposal enters the IETF process, the IETF and the
working group should discuss it based on its technical merits.

I'm getting the impression that the technical merit is not getting
the attention that it deserves.  TLS extensions are evidently largely
untested in the installed base.  The majority of the installed clients
does _NOT_ send it, and those clients that have started sending it,
apparently didn't dare to do this without an automatic fallback.

Having to retrofit the TLS extensions in a generic fashion into
SSLv3 and TLSv1.0 servers is a completely unnecessary and trivially
avoidable roadblock for maintainers.

And it doesn't seem to be to leave the fallbacks or SSLv3-compatibility
options that exist in current Browsers completely out in the rain,
where we could also trivially cover those scenarious with the
smaller and easier-to-implement extension-less approach.


Considering the urgency of the problem, now is a particularly
bad time to begin gathering interop experience with TLS extensions,
given that TLS WG didn't care about them for years.

To me, it looks like the REAL problems with the installed base described
in draft-pettersen-tls-interop-experience-00.txt (June 2006 !) didn't
result in any significant actions by the TLS WG to improve this, let
alone determine the scope and severity of the problems.


Quoting Section 6. of  draft-pettersen-tls-interop-experience-00.txt

   6.  Consequences

   As a consequence of the problems detailed above, many mass-market
   client vendors have had to deploy SSL/TLS implementations that
   disable protocol features if the server does not understand it.  In
   particular, this was necessary both for the move to TLS 1.0, and to
   TLS 1.1, but it has also become necessary for TLS Extensions.


-Martin

v2.23.0 | Report a Bug | By Email