Re: [TLS] simplistic renego protection
Eric Rescorla <ekr@networkresonance.com> Tue, 17 November 2009 17:50 UTC
Return-Path: <ekr@networkresonance.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B40873A6405 for <tls@core3.amsl.com>; Tue, 17 Nov 2009 09:50:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.152
X-Spam-Level:
X-Spam-Status: No, score=-0.152 tagged_above=-999 required=5 tests=[AWL=0.343, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MOCIkHgFMTzY for <tls@core3.amsl.com>; Tue, 17 Nov 2009 09:50:22 -0800 (PST)
Received: from kilo.networkresonance.com (unknown [80.169.194.194]) by core3.amsl.com (Postfix) with ESMTP id 5E16D3A6843 for <tls@ietf.org>; Tue, 17 Nov 2009 09:50:22 -0800 (PST)
Received: from kilo.local (localhost [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id 9BE6569FBC8; Tue, 17 Nov 2009 17:51:46 +0000 (GMT)
Date: Tue, 17 Nov 2009 17:51:46 +0000
From: Eric Rescorla <ekr@networkresonance.com>
To: Michael D'Errico <mike-list@pobox.com>
In-Reply-To: <4B02CE81.1000607@pobox.com>
References: <200911161725.nAGHPWaA014181@fs4113.wdf.sap.corp> <089F31C221374096B0FE619F@446E7922C82D299DB29D899F> <4B02A084.9030903@cs.tcd.ie> <4B02CE81.1000607@pobox.com>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20091117175146.9BE6569FBC8@kilo.networkresonance.com>
Cc: tls@ietf.org
Subject: Re: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2009 17:50:23 -0000
At Tue, 17 Nov 2009 08:25:37 -0800, Michael D'Errico wrote: > > Stephen Farrell wrote: > > > > Chris Newman wrote: > >> --On November 16, 2009 18:25:32 +0100 Martin Rex <mrex@sap.com> wrote: > >>> But when a proposal enters the IETF process, the IETF and the > >>> working group should discuss it based on its technical merits. > >> The IETF is about rough consensus and running code. Technical merit is > >> one aspect of that. Time to market can be important. Technical > >> maturity of the specification can be important. The best or perfect > >> proposal often takes longer to develop than the good enough proposal and > >> thus loses. Just look at how badly HTTP is designed when it comes to > >> authentication -- but it was good enough to standardize. The HTTP > >> Next-Generation working group failed because HTTP is good enough. > >> > >> draft-rescorla-tls-renegotiation-00 already has lots of running code; > >> and that's a traditional IETF litmus test that correctly makes > >> alternative proposals far less attractive. > > > > Having watched the recent list traffic I find the above convincing. > > I'd love to see a -01 of the above containing the changes EKR has > > mentioned already, and then a WGLC on that. > > I went back and re-read all his messages and the only change EKR > suggested was to use a magic cipher suite *only as a fallback* if > an initial attempt to use RI failed. All other suggestions did not > convince him to make any changes. I could be wrong, but that is > how the messages read. Well, the other changes I've seen suggested pretty much amount to discarding RI in favor of another approach, so I don't think it's really surprising I didn't incorporate them into RI. > Plus I've pointed out that RI does not protect the combination of a > lenient client and lenient server! This is a severe drawback since > patched peers are still vulnerable during the transition period > where some servers remain lenient (allow current insecure > renegotiation). I don't think this is entirely accurate. It doesn't protect the combination of a lenient server and a client which falls back to not using the extension at all, i.e., a client which tolerates non-compliant servers which do not properly ignore unknown extensions. Given that that's going to be a fairly small fraction of servers and that those servers are pretty much by definition unpatched (more or less the one case where you can accurately detect vulnerability without a huge number of false positives) I'm not seeing that it's a crisis to fail negotiation at this point. With that said, the extra cipher suite solves this problem AFAICT and I have no problem with adding that if it's WG consensus. > (2) can be done many ways but I think Martin came up with a better > idea than the alert message I proposed. It is to toggle the upper > bit of the low-order byte of the version in the ServerHello. For > SSLv3, 0x0300 would become 0x0380; TLS 1.0, 0x0301 would become 0x0381, > etc. This is forward-compatible too; the next version of TLS would > be 4.0, 0x0400. This signal would be used in all handshakes from > SSLv3 through TLS 1.2. The version in the record layer would NOT > change. Changing the version number in response to something other than a version number advertisement seems extremely problematic to me. > (3) can be done in a variety of ways. RI sends the data over the > wire, but this is unnecessary since both the client and server know > it already. EKR doesn't like the idea of a "virtual" handshake > message, but this is an easier way to incorporate the data than > requiring changes to three PRF computations (SSLv3, TLS 1.0/1.1, and > TLS 1.2). Well, RI doesn't require changing the PRF or the virtual -Ekr
- Re: [TLS] simplistic renego protection Chris Newman
- [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Joseph Salowey (jsalowey)
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Nelson B Bolyard
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection peter.robinson
- Re: [TLS] simplistic renego protection Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] simplistic renego protection Stephen Farrell
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Nasko Oskov
- Re: [TLS] simplistic renego protection Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Yair Elharrar
- Re: [TLS] simplistic renego protection Steve Dispensa
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Robert Dugal
- Re: [TLS] simplistic renego protection Pasi.Eronen
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Simon Josefsson
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Nasko Oskov
- Re: [TLS] simplistic renego protection Nelson B Bolyard
- Re: [TLS] simplistic renego protection Nelson B Bolyard
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Nelson B Bolyard
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- [TLS] Definition of "lenient server" David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Ben Laurie
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Bill Frantz
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Ben Laurie
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Ben Laurie
- Re: [TLS] simplistic renego protection Pasi.Eronen
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Pasi.Eronen
- Re: [TLS] simplistic renego protection Yngve Nysaeter Pettersen
- Re: [TLS] simplistic renego protection Peter Gutmann
- Re: [TLS] simplistic renego protection Kyle Hamilton