Re: [TLS] Should we require implementations to send alerts?
Brian Smith <brian@briansmith.org> Wed, 16 September 2015 19:53 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2ABAB1A0302 for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 12:53:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.578
X-Spam-Level:
X-Spam-Status: No, score=-0.578 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d9tqbDuoOYeJ for <tls@ietfa.amsl.com>; Wed, 16 Sep 2015 12:53:55 -0700 (PDT)
Received: from mail-yk0-f179.google.com (mail-yk0-f179.google.com [209.85.160.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1E491A0264 for <tls@ietf.org>; Wed, 16 Sep 2015 12:53:54 -0700 (PDT)
Received: by ykdg206 with SMTP id g206so230229897ykd.1 for <tls@ietf.org>; Wed, 16 Sep 2015 12:53:54 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=+jzjhHVqdznHrxf9rmmU+kl0jTZRW5JU8SojnRhy0i8=; b=VvPATTgNl/a23OkMEmXC2yAOog2XZqDKQj8lm6RP7/+oQHtO4ytmS8pe+dAwl3LBUt OxDFSG4iShHcYzt2qCXP99gyLkXyRX5ewdMtyq46CRIz9U1vBFkHdbLbAJpFIDIttxMC GbcNKl/dWTbb0hW3NTvdHgiGjZ6WNhxfraToeV76UV5q9Hqsegpj1g3RIeXyM5lCkzvx VKZAwEJzBYb+wNbFWC9xV3GlUBErJxCUn2qXImn4elKgphGnyRqzZzUv26l1NFzVoKqJ aVDctg2fQBxb4z5SxCxl7qYsB9qjtza3iIpNbeJqU7weOi1+6NlvQ17DzqisB2D8IWYd tg0g==
X-Gm-Message-State: ALoCoQlH8WtbClg3zaqOvCfqMtNwmFQj56yt4GhJAweMWPiz+/UetRAfXKPXlfllBqLBMOvklMd0
MIME-Version: 1.0
X-Received: by 10.13.242.194 with SMTP id b185mr29997433ywf.48.1442433233958; Wed, 16 Sep 2015 12:53:53 -0700 (PDT)
Received: by 10.37.61.6 with HTTP; Wed, 16 Sep 2015 12:53:53 -0700 (PDT)
In-Reply-To: <CABcZeBPnO4zn_HkvwLpLC+EVYN8EKOBEsR80oRt3HZgsiNGDoQ@mail.gmail.com>
References: <CABcZeBPnO4zn_HkvwLpLC+EVYN8EKOBEsR80oRt3HZgsiNGDoQ@mail.gmail.com>
Date: Wed, 16 Sep 2015 12:53:53 -0700
Message-ID: <CAFewVt6JAY20iXGZhufFRHSUrs5kVzP_CO2VmR5c1vaM-D_KZQ@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="94eb2c034da885f192051fe2a857"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/LxPCq6Gtrc3ogvkVMS8FW_uw_qY>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Should we require implementations to send alerts?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2015 19:53:57 -0000
On Sat, Sep 12, 2015 at 1:49 PM, Eric Rescorla <ekr@rtfm.com> wrote: > Issue: https://github.com/tlswg/tls13-spec/issues/242 > > In https://github.com/tlswg/tls13-spec/pull/231, Brian Smith argues: > > "Nobody must ever be *required* to send an alert. Any requirement for > sending an alert should be SHOULD, at most." > Before I wade too deep into this thread, a question: Assume the client and the server implement the mandatory-to-implement parameters and that both the client and the server are otherwise conformant. In this scenerio, when would an alert other than the non-fatal close_notify be sent? It could happen if the data is being tampered with (i.e. the connection is under attack). But, is it really a good idea to send attacker-predictable and attacker-controllable plaintext (the alert record) when you suspect you are under attack? Wouldn't it be much safer to hole up in your turtle shell when you detect signs of an attack? It could happen that one peer does not trust the other peer's credentials (certificate). That is common when browsers are involved, but in other applications of TLS an untrusted certificate is a strong indicator of an attack. And, in those scenerios, turtling seems like the best solution; at the very least, it is a justifiable reason to not send an alert. Because the alerting mechanism is under the influence of attacks, it is no surprise that some attacks have already used the alerting mechanism. In particular, CBC padding attacks abuse the alerting mechanism, as has the Bleichenbacher attack. While it is nice that the specifics of those particular attacks have been made irrelevant for TLS 1.3, the general conclusion that the sending of alerts adds significant risk still holds. Thus, it is reasonable for a careful implementation of TLS to avoid sending alerts for this reason alone. Further, the alerting mechanism has encouraged the unsafe practice of "version fallback." It is clear from looking at the bug databases of Firefox and Chrome that their attempts to make security decisions based on what alerts they received was bad for security. If one peer is nonconformant, then it seems unfair, at best, to require the other peer to put itself at additional risk to inform the nonconformant peer of its non-conformance. It is each implementation's job to ensure its own conformance. Further, attempting to send fatal alerts adds non-trivial complexity to implementations which emperical evidence has shown to cause significant problems. I encourage the representatives of Mozilla and other projects to look through their bug databases for bugs--both publicly-accessible and hidden from the public--related to the sending of alerts. Also note that Mozilla's implementation, NSS, has *never* conformed with the specification's "MUST" requirements to send alerts, and it has bugs in this area reported half a decade ago that remain unfixed. Thus, the empirical evidence from Mozilla's widely-deployed implementation shows that (a) the requirement to send alerts is difficult to conform to, and (b) it is unimportant in practice to send alerts. Finally, in an implementation for constrained devices, where every byte of code size matters, even the small amounts of code necessary to conform with these requirements are simply not justified. This alone should be justification for avoiding requiring sending alerts. Cheers, Brian
- [TLS] Should we require implementations to send a… Eric Rescorla
- Re: [TLS] Should we require implementations to se… Martin Thomson
- Re: [TLS] Should we require implementations to se… Eric Rescorla
- Re: [TLS] Should we require implementations to se… Geoffrey Keating
- Re: [TLS] Should we require implementations to se… Martin Thomson
- Re: [TLS] Should we require implementations to se… Salz, Rich
- Re: [TLS] Should we require implementations to se… Viktor Dukhovni
- Re: [TLS] Should we require implementations to se… Eric Rescorla
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… Andrei Popov
- Re: [TLS] Should we require implementations to se… Hanno Böck
- Re: [TLS] Should we require implementations to se… Florian Weimer
- Re: [TLS] Should we require implementations to se… Salz, Rich
- Re: [TLS] Should we require implementations to se… Nico Williams
- Re: [TLS] Should we require implementations to se… Florian Weimer
- Re: [TLS] Should we require implementations to se… Henrik Grubbström
- Re: [TLS] Should we require implementations to se… Florian Weimer
- Re: [TLS] Should we require implementations to se… Salz, Rich
- Re: [TLS] Should we require implementations to se… Viktor Dukhovni
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… Jim Schaad
- Re: [TLS] Should we require implementations to se… Nico Williams
- Re: [TLS] Should we require implementations to se… Nico Williams
- Re: [TLS] Should we require implementations to se… Brian Smith
- Re: [TLS] Should we require implementations to se… Florian Weimer
- Re: [TLS] Should we require implementations to se… Hubert Kario
- Re: [TLS] Should we require implementations to se… Brian Smith
- Re: [TLS] Should we require implementations to se… Nico Williams
- Re: [TLS] Should we require implementations to se… Brian Smith
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… Nico Williams
- Re: [TLS] Should we require implementations to se… Nico Williams
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… Martin Thomson
- Re: [TLS] Should we require implementations to se… Brian Smith
- Re: [TLS] Should we require implementations to se… Nico Williams
- Re: [TLS] Should we require implementations to se… Brian Smith
- Re: [TLS] Should we require implementations to se… Nico Williams
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… David Benjamin
- Re: [TLS] Should we require implementations to se… Brian Smith
- Re: [TLS] Should we require implementations to se… Brian Smith
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… Martin Rex
- Re: [TLS] Should we require implementations to se… Brian Smith
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… Brian Smith
- Re: [TLS] Should we require implementations to se… David Benjamin
- Re: [TLS] Should we require implementations to se… Hubert Kario
- Re: [TLS] Should we require implementations to se… Hubert Kario
- Re: [TLS] Should we require implementations to se… Brian Smith
- Re: [TLS] Should we require implementations to se… Benjamin Kaduk
- Re: [TLS] Should we require implementations to se… Tony Arcieri
- Re: [TLS] Should we require implementations to se… Dave Garrett
- Re: [TLS] Should we require implementations to se… Bill Frantz
- Re: [TLS] Should we require implementations to se… Kurt Roeckx
- Re: [TLS] Should we require implementations to se… Kurt Roeckx
- Re: [TLS] Should we require implementations to se… Viktor Dukhovni
- Re: [TLS] Should we require implementations to se… Hubert Kario
- Re: [TLS] Should we require implementations to se… Hubert Kario