Re: [TLS] Downgrade prevention with authenticated list of ciphersuites?

Adam Langley <agl@google.com> Wed, 02 October 2013 19:34 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D616C21F8B4E for <tls@ietfa.amsl.com>; Wed, 2 Oct 2013 12:34:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zeVJ3c53fpzI for <tls@ietfa.amsl.com>; Wed, 2 Oct 2013 12:34:28 -0700 (PDT)
Received: from mail-ve0-x230.google.com (mail-ve0-x230.google.com [IPv6:2607:f8b0:400c:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id 9A47521F9767 for <tls@ietf.org>; Wed, 2 Oct 2013 12:23:02 -0700 (PDT)
Received: by mail-ve0-f176.google.com with SMTP id jx11so968848veb.21 for <tls@ietf.org>; Wed, 02 Oct 2013 12:23:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=hjtezSU+5y9FR9L6P14s0aqwDALN5WDrMxsCOUu6nDw=; b=RadQrtoA/lfnp82S5vGh7kKAe7ZYwRq/vt4p3QWKPQSbHS1R0aJxxZ4bBqoZMfrXRo t+XDzydjnH32kwtLMamm1Y09+Vx/VCKnbfqB8mG3VM0oVJLis68tBLwVBQF2IQae5g8p P7tusgeOffpsWEHor81GaEQcsNFZvl6ZlCJA8GVR2noWCFhJZj6U60JRuG6/QsXFIrHV eCPYZDo1jpWB5rZ+IJvvaqKjQX9pzhK7YewGNCApp5DRPzdowensGwbGllkENPblMAu2 3+AgK3hTQpWoZQ46UEj28ppVzFV6Qn9ZxOC5U16mBfDNj9ZyBV/Turb+o+2Bo+LETwU8 QLpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=hjtezSU+5y9FR9L6P14s0aqwDALN5WDrMxsCOUu6nDw=; b=H5RiOi8E6VbEZXBgIjBPZPFU+D4e6G7NjzgmCZ8ILrVwD4nDg8P5uuJC8qqpj8Srhi zdAvB26WsA+P/HL5xMd/NNqSGRpaVs/AO8g46xH26lVtYGLXiVheLd79IH3v/PIG6HqT 6j+VrRZwT1NSritcbFVHGJ/Ke/wqsLdWNxoV7UTbLbevj9dj5KoEvjPI8so7O9lePzOd BwmrxalU48UY49hsBLPnqGC0wJVMc2vjZ9J585g7TC5ZX9Qb+qAtzFCF6Sm5Mc80PEpu dwSmg2zC6+dreIGecvTouIIjLq008YEqbbn1dLlKtAAuzEukOoiAdSHvS+Ke1vUUMbs6 TQMw==
X-Gm-Message-State: ALoCoQkuZw9rShWh1eszMBy3EqcKERdZsrtB+ivz3Z/Qx3yIcARb0eghPYdQosOo0Ay/Fb/f9ci9bAzfYtYhMp8n/ktFlCwlAaSjkZjzgJvxAYqdW6tJ7xwsXq3wAEeTsbliOI/zrGrTrZ5QxXMGdMNuEBu0uZeuWg2ZdHVXsotEwSDffLIrIX5FWm89xRZxCeGNTytHy7JB
X-Received: by 10.58.19.233 with SMTP id i9mr51838vee.36.1380741781619; Wed, 02 Oct 2013 12:23:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.100.40 with HTTP; Wed, 2 Oct 2013 12:22:40 -0700 (PDT)
In-Reply-To: <524c7192.8360440a.2d86.ffffdc2bSMTPIN_ADDED_BROKEN@mx.google.com>
References: <524c7192.8360440a.2d86.ffffdc2bSMTPIN_ADDED_BROKEN@mx.google.com>
From: Adam Langley <agl@google.com>
Date: Wed, 2 Oct 2013 15:22:40 -0400
Message-ID: <CAL9PXLzq0WF65-yOmU34sKL6LVsvw0CB9G=-4RiKQ=rgXfWPzQ@mail.gmail.com>
To: Seth David Schoen <schoen@eff.org>
Content-Type: text/plain; charset=UTF-8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Downgrade prevention with authenticated list of ciphersuites?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Oct 2013 19:34:35 -0000

On Wed, Oct 2, 2013 at 3:02 PM, Seth David Schoen <schoen@eff.org> wrote:
> I'm wondering if there's any existing proposal for a mechanism to prevent
> ciphersuite downgrade attacks by authenticating the list of ciphersuites
> offered by a TLS server.  One way to do this might be to put the list
> somewhere in the server's certificate (maybe someone's already specified
> a way to do so?), like a "subject offered ciphersuites list".

TLS already authenticates the ciphersuite lists of both sides in the
final Finished messages.

Are you worried about misconfigured servers, or False Start, or
version fallback causing certain cipher suites to disappear?


Cheers

AGL