Re: [TLS] SCSVs and SSLv3 fallback
Trevor Perrin <trevp@trevp.net> Mon, 08 April 2013 23:21 UTC
Return-Path: <trevp@trevp.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23AAE21F8DBF for <tls@ietfa.amsl.com>; Mon, 8 Apr 2013 16:21:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[AWL=1.083, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OUXemPGK+wJS for <tls@ietfa.amsl.com>; Mon, 8 Apr 2013 16:21:58 -0700 (PDT)
Received: from mail-wg0-f49.google.com (mail-wg0-f49.google.com [74.125.82.49]) by ietfa.amsl.com (Postfix) with ESMTP id B73B021F84CA for <tls@ietf.org>; Mon, 8 Apr 2013 16:21:57 -0700 (PDT)
Received: by mail-wg0-f49.google.com with SMTP id e11so6553796wgh.16 for <tls@ietf.org>; Mon, 08 Apr 2013 16:21:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=OyTtnLOTXoEBI+rzLnXYHoKw3R91fLkhMj7LrzKwhsw=; b=f8b3yjxnHa5oWsWq7oMhGAKFzjFFPmm8Blereld/eeDK/HU4TPSOO4mXFb4SBV2Pgg MqWKpplAUAUhk5G0ID2cOOKhd1HlZTIvtjA7igJZiEEG+A2FJp7mcnfebbjCD4J26q1C KZJzxFxFoaPVSUsaFW1o+d9wLs9kYkn5+IdDsQfE5jXp8C8Qm0MILOVWcrFFcudDwhn3 nnPoLfRQYHu+PwftNLWrXtSKghExD1BSIRF7/wl4QLluQqiaJ2LHvBuTN39xxvySABm1 wbXOjkrGALsFx6WSL0iXPK9c5FTnhpS6EMru8C4H5qko/i3fkQfgwqaTD5ZPNBhtiINl OV3g==
MIME-Version: 1.0
X-Received: by 10.180.87.170 with SMTP id az10mr16143957wib.3.1365463316560; Mon, 08 Apr 2013 16:21:56 -0700 (PDT)
Received: by 10.217.119.134 with HTTP; Mon, 8 Apr 2013 16:21:56 -0700 (PDT)
X-Originating-IP: [64.134.227.192]
In-Reply-To: <op.wu8mspkc3dfyax@killashandra.invalid.invalid>
References: <CAGZ8ZG0i4-ZDPu=O1+Qy1DJ8oV80_eMz5J9NZrn2UC1-zYu4Sw@mail.gmail.com> <op.wu1f2u2n3dfyax@killashandra.invalid.invalid> <CAGZ8ZG1JzgnCNqfPueKr3wrvMzZKUi7mfvcAdRc-NnCDr33aLg@mail.gmail.com> <515F428E.2010900@gnutls.org> <CAGZ8ZG2OqLz8NymWzR0WNWsHz7qHLA+8eq95WFTLVFGaTK=RCA@mail.gmail.com> <D4CC5248-B1F1-498E-8058-5E17BADB3CE6@vpnc.org> <CAGZ8ZG2uvKs8-Sn9bvQyaP9t_E3BhkZFoi7Sq9wbxaHNpf_NDg@mail.gmail.com> <op.wu3cctbc3dfyax@killashandra.invalid.invalid> <CAGZ8ZG3H6wPnLZE3CkBGHMiMXvdA-VBM911t+tzPqW5ggJr2PA@mail.gmail.com> <op.wu4b9sxq3dfyax@killashandra.invalid.invalid> <CAGZ8ZG2yVYPkOFFvSKF0Q18CREHtzfeeTdZpi0Cxhi-OQBr8nA@mail.gmail.com> <op.wu4u97w03dfyax@killashandra.invalid.invalid> <CAGZ8ZG1NW5SHHfyjFnQNvbNzb4KgL-7W+bZHAXERgrbkoTZa9g@mail.gmail.com> <op.wu8mspkc3dfyax@killashandra.invalid.invalid>
Date: Mon, 08 Apr 2013 16:21:56 -0700
Message-ID: <CAGZ8ZG0CXoR4ibyrBoaJftuWPMSss4smC7eQ46B=V_6Q3VcApQ@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: "Yngve N. Pettersen" <yngve@spec-work.net>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQk4AJjxYMU8ztXGEmT8xDedo9mpZxpIr35i3ZTn+MmKfs7jELx72dKg39olUpSALtrZBs+n
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] SCSVs and SSLv3 fallback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2013 23:21:59 -0000
On Mon, Apr 8, 2013 at 12:51 PM, Yngve N. Pettersen <yngve@spec-work.net> wrote: > On Mon, 08 Apr 2013 20:34:59 +0200, Trevor Perrin <trevp@trevp.net> wrote: > >> Hi Yngve, >> >> Thanks for the reference to your rollback prevention draft [1]. I've >> also seen the Eric Rescorla and Adam Langley proposals [2,3]. >> >> These all seem practical ways to enable a TLS-capable party suffering >> an SSLv3 fallback to detect that the other party is TLS-capable. >> >> I'd love to see any of them deployed, so such connections could be >> rejected. Browser makers could aso preload their browser with a list >> of TLS-capable sites (such as their own), and disable SSLv3 fallback >> for them. > > > Opera 12.x already deploy the one I've described (It was also deployed in > Opera 10.50 to 11.0x). Interesting! To make sure I understand: - You're saying Opera 12.x will refuse to connect to RFC 5746-supporting sites if there's a TLS-intolerant middlebox in the way? - According to [1,2], about half of all TLS servers are RFC 5746-supporting? Could I infer that Opera is providing rollback/MITM/middlebox protection to roughly half of all TLS connections made by its users? If so, that's an impressive step, and great news! Do you think other browsers will follow suit? >> Hopefully these actions would force TLS-intolerant middleboxes to be >> replaced, so browsers could stop having to work-around them and this >> problem would disappear. > > > I hope my proposal might manage that, but I don't think EKR and Adam's > proposals will, since they try to work around the broken servers and > middleboxes, and do not confront them. Not sure that's true. From Eric's draft [3]: """ If the SCSV value is present and is not equal to ClientHello.client_version, then the server MUST terminate the handshake with a fatal "handshake_failure" alert. """ >From Adam's post [4]: """ the semantics of TLS_CAPABLE_SCSV would be that servers would reject any SSLv3 handshakes that included this ciphersuite with a fatal error. """ They have the client explicitly signal TLS capability via an SCSV, whereas you have the client infer the server's TLS capability from presence of renegotiation_info. So their mechanism only works if both clients and servers support it. Your mechanism can be rolled out unilaterally in a browser, at the cost of a higher connection-failure rate (as you've said, ~1/700 servers return renegotiation_info while being TLS intolerant; whether rejecting these servers is a "feature" or "bug" is another question :-) >> In the long-term, if TLS-intolerant middleboxes can be eliminated to >> the point that browsers *don't* need to support them, this case will >> cease to exist. At that point this mechanism will be unused and >> unneeded. > > > The problem, from my point of view, is that as long as standards and clients > *capitulates* to (or maybe a better description is: allows themselves to be > *blackmailed* by) those middleboxes (and servers), they will *never* go > away, because the visited websites do not break; "if it ain't broken, don't > fix it". (I suspect some would make references to "Danegeld" in similar > situations.) I agree these middleboxes will not get fixed unless browsers and servers break compatibility with them. But TACK/CT/etc aren't needed for this: - Browsers could refuse SSLv3 fallback for sites that signal renegotiation_info (Opera) - Browsers could be preloaded with lists of sites to refuse SSLv3 fallback for - Browsers could stop doing SSLv3 fallback entirely - Servers could refuse SSLv3 handshakes - Servers could refuse SSLv3 handshakes with a TLS_CAPABLE_SCSV (per Eric and Adam) They are mostly not doing so. So in the face of the widespread middlebox "capitulation" which is a current fact-of-life on the web, I question whether it's fair to force the cost of breaking these middleboxes on young protocol efforts that are already facing huge challenges to deployment. I think doing so will simply make potential adopters unwilling to experiment with these new enhancements, while having no impact on bad middleboxes. >> As you and Nikos have pointed out, there is no guarantee that this >> mechanism will always work. However if deployed, we could gather >> statistics on it. > > > Which will not mean that the problem will get fixed. It means we will learn how successful this approach is in creating TACK/CT/OCSP-must-staple connections through TLS-intolerant middleboxes. > It will just mean that > clients implement more and more complex recovery methods in an attempt to > get past what they think breaks the connection in those cases. > > Quite the opposite of what my "removal" draft attempt to accomplish I support your rollback removal draft, and other methods. But unless/until they've been effective, I don't agree that new TLS enhancements should be prevented from trying widely-deployed compatibility fallbacks. > Also: How long until a serious security vulnerability rears its head out of > that mess of workarounds and iterative fallbacks? I support removal of all these fallbacks. I hope we can get there. But that is not the present reality TACK etc. have to contend with. (And do note that TACK / CT / OCSP must-staple etc. are attempting to address *existing* serious security vulnerabilities related to the CA system, revocation, and so on.) Trevor [1] http://my.opera.com/securitygroup/blog/2011/05/19/renego-popular-unpatched-and-vulnerable-sites [2] http://www.acsac.org/2012/openconf/modules/request.php?module=oc_program&action=view.php&a=&id=163&type=4&OPENCONF=75799905b2bb79c800ddf7ade3caad00 [3] http://www.ietf.org/mail-archive/web/tls/current/msg08099.html [4] http://www.ietf.org/mail-archive/web/tls/current/msg08861.html
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Hanno Böck
- Re: [TLS] SCSVs and SSLv3 fallback Geoffrey Keating
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Joseph Birr-Pixton
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Nikos Mavrogiannopoulos
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Paul Hoffman
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Nikos Mavrogiannopoulos
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Adam Langley
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yoav Nir