IETF Logo Mail Archive

Re: [TLS] The TLS_FALLBACK_SCSV time bomb (was: Re: Working Group Last Call for draft-ietf-tls-downgrade-scsv-00)

Bodo Moeller <bmoeller@acm.org> Fri, 17 October 2014 13:20 UTC

Return-Path: <SRS0=LHIJ=7I=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CB461ACDA3 for <tls@ietfa.amsl.com>; Fri, 17 Oct 2014 06:20:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.938
X-Spam-Level:
X-Spam-Status: No, score=-0.938 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ikSJywGYjSW3 for <tls@ietfa.amsl.com>; Fri, 17 Oct 2014 06:20:19 -0700 (PDT)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70AD01ACD7E for <tls@ietf.org>; Fri, 17 Oct 2014 06:20:18 -0700 (PDT)
Received: from mail-yk0-f180.google.com (mail-yk0-f180.google.com [209.85.160.180]) by mrelayeu.kundenserver.de (node=mreue102) with ESMTP (Nemesis) id 0LqlQA-1YJNt73FpK-00eJ6Z; Fri, 17 Oct 2014 15:20:16 +0200
Received: by mail-yk0-f180.google.com with SMTP id 142so323512ykq.39 for <tls@ietf.org>; Fri, 17 Oct 2014 06:20:14 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.236.22.228 with SMTP id t64mr3672516yht.164.1413552014601; Fri, 17 Oct 2014 06:20:14 -0700 (PDT)
Received: by 10.170.194.15 with HTTP; Fri, 17 Oct 2014 06:20:14 -0700 (PDT)
In-Reply-To: <180027849.13041583.1413544466157.JavaMail.zimbra@redhat.com>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <CADMpkcLnOh3HGD+urWuo6fPfkX4WfGhwckE0jg5jS2KqD2RuMQ@mail.gmail.com> <CABkgnnWuCwOGBXG2RdetwPFn4KtVPygSBWG5qkme1mvNst6n+A@mail.gmail.com> <543F9893.806@redhat.com> <543FA0A0.1030205@polarssl.org> <543FCAED.50502@redhat.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D39ECECB4@USMBX1.msg.corp.akamai.com> <5440E005.6000607@redhat.com> <180027849.13041583.1413544466157.JavaMail.zimbra@redhat.com>
Date: Fri, 17 Oct 2014 15:20:14 +0200
Message-ID: <CADMpkcL2mntDd0dOruziqF0F=xURnqGgd_YkpF+ONzz8v-wQ9Q@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: Hubert Kario <hkario@redhat.com>
Content-Type: multipart/alternative; boundary="e89a8f642a98b3b60d05059e395a"
X-Provags-ID: V02:K0:qvIGLJK9g/pG1R5tdU6mhlKvJDNfWD5qa8ZTuD2DnUK RaCQ8gF3a7ZQrH6MYrXrv638xQrkvmUIfDSOEpw523R2iugkd2 wCMy0xoRPMKL5mHhuH3wcZ7IN14G7BmPOwWk+qbr4xy8xhC7vU LhD3LAT8BQp1gjb4euHp5RQDcaK53SwQyCEB0PE4vvcgx0eJvZ 9uF9tzpXqhbZszkNi+6gitf42Y0/92zpwC/XJWkRc7HnowLzHN p0LM6a2/BK4JD1z+3Je4hiUYM/szAevInR/ZgRH7XZCbbCmPgC MMZ5U4syiMBtFeie1s6dZ74GQyMBqfmx+2pkG1LScm1TDuJcjs JP8mSC7/Zy2v0YVSSyBwEjgwVFQUJnxZBnxUxjtsLlTST3yGAF /1mWBKd/WJ+yseSZDNbIS/hTs27ojNZKEvYIg2C/2kz7UXIYKS Vs4Qj
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/LMc11K4C0pt3WZTOuhlX5wmyZcQ
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] The TLS_FALLBACK_SCSV time bomb (was: Re: Working Group Last Call for draft-ietf-tls-downgrade-scsv-00)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 13:20:27 -0000

Hubert Kario <hkario@redhat.com>:


> [...] I think the only thing we can do to prevent
> that is to be explicit in the document:
>
> "The client MUST NOT advertise TLS_FALLBACK_SCSV if it initiates connection
> with the highest protocol version it supports."


Right, I think stating this explicitly in the spec is probably the right
thing to do (of course this has been the intended behavior all along).
Thanks.

(Arguably the OpenSSL API is too fragile, and SSL_MODE_SEND_FALLBACK_SCSV
should be ignored in this case. So clarifying that in the spec is not the
*only* thing we can do to prevent this.

Also, if a few HTTPS servers log information such as the User-Agent header
if they see a client hello advertising TLS 1.2 with TLS_FALLBACK_SCSV, that
could be used to track down any clients that still manage to get it wrong.
That seems more practical than using clients to find version-intolerant
servers, because for that you'd have to send TLS 1.3 or TLS 1.4 client
hellos before these protocols actually exist, and then wouldn't quite know
what to do in case the server actually chooses one of these versions.)

While I don't see any way to completely avoid interoperability failures in
the presence of potential bugs, I think this failure scenario (buggy
clients potentially sending TLS_FALLBACK_SCSV in every handshake) really
isn't as bad as the alternatives -- such as strictly expecting servers to
be version-tolerant for protocol versions they've never been tested with.
There's always *some* way how buggy implementations could break
interoperability.

Bodo

v2.23.0 | Report a Bug | By Email