IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Andrey Jivsov <crypto@brainhub.org> Fri, 17 October 2014 18:04 UTC

Return-Path: <crypto@brainhub.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 991C31A007E for <tls@ietfa.amsl.com>; Fri, 17 Oct 2014 11:04:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3s5YGpwiWyZU for <tls@ietfa.amsl.com>; Fri, 17 Oct 2014 11:04:17 -0700 (PDT)
Received: from resqmta-ch2-09v.sys.comcast.net (resqmta-ch2-09v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:41]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 460EB1A0007 for <tls@ietf.org>; Fri, 17 Oct 2014 11:04:17 -0700 (PDT)
Received: from resomta-ch2-19v.sys.comcast.net ([69.252.207.115]) by resqmta-ch2-09v.sys.comcast.net with comcast id 4J4C1p0032VvR6D01J4GfL; Fri, 17 Oct 2014 18:04:16 +0000
Received: from [IPv6:::1] ([71.202.164.227]) by resomta-ch2-19v.sys.comcast.net with comcast id 4J4F1p00J4uhcbK01J4FeA; Fri, 17 Oct 2014 18:04:16 +0000
Message-ID: <54415A1F.3080707@brainhub.org>
Date: Fri, 17 Oct 2014 11:04:15 -0700
From: Andrey Jivsov <crypto@brainhub.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: tls@ietf.org
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <5438CFEA.7000401@brainhub.org> <5440CC7F.1020608@brainhub.org> <CADMpkcLdSCLb5LzBjufVF4h7X=HFPTgHq4fN+zdc6zrM+ijXaA@mail.gmail.com>
In-Reply-To: <CADMpkcLdSCLb5LzBjufVF4h7X=HFPTgHq4fN+zdc6zrM+ijXaA@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1413569056; bh=CML0IkanPx2bY9vbW+yFF/DFmDHqSZsetvjSc+OkBmo=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=PHNxHAY3sJSlk8mthtRtamHiAvRB6lVf2LCTv1lvKtSMM0i0jU8vS7BtQWnhQ6EyJ dmRvCqTMFsEKcVbeEbxrvzSop9YQGaxGEE8qdktFeROOZXawUYzIhKzYCD7AFxBUjX IcoK5Volr5m/vrjmCMT3c1Qk1JZ9r0phtCvlW/Al0TDIkvH4KO5v0TLRKsZe42EUzj jh/IS7N5pUYjqddVKRJXnI0VafoJRkyT45TWgVtjITuiBwWhMXAgzL/1YRluPev7cz Bzt9RaHHe2/oqsKSTzxNFF4HVvfhTF6nty91xL+m+L5hEYfmwcedd1ivoBBxYml6iJ HU+teTg5lT8cg==
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/MST-koHTL5ow87X7idgFXqDxLjE
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 18:04:19 -0000

On 10/17/2014 06:44 AM, Bodo Moeller wrote:
> Andrey Jivsov <crypto@brainhub.org <mailto:crypto@brainhub.org>>:
>
>     (On handling of the downgrade to a recent versions of the
>     protocols, i.e. TLS1.3 to 1.2 or TLS1.2 to TLS1.1.)
>
>     The draft -00 asks the server supporting TLS 1.2 to fail the TLS
>     1.1 in some cases, while significant amount of traffic on the
>     Internet goes over TLS 1.0.
>
>
> Right. If both the client and the server *do* support TLS 1.2, we want 
> to ensure that they won't unnecessarily fall back to an earlier 
> protocol version (thus losing the benefits of TLS 1.2). If one of them 
> only supports an earlier protocol version, they'll still be using that 
> one -- TLS_FALLBACK_SCSV doesn't get in the way for that.

Yes, but note that the draft requires servers to fail on TLS 1.1 when 
they were not required to do so before.

This is on the backdrop that the downgrade issue is entirely due to some 
client-specific implementation of the protocol negotiation (the 
fallback) and client's view that TLS 1.1 is secure (as a matter of fact, 
they would currently talk SSL3.0 without any warning).

>
>
>     Today, for example, 
>
>     www.wellsfargo.com <http://www.wellsfargo.com/>, citibank.com
>     <http://citibank.com/>, and bankofamerica.com
>     <http://bankofamerica.com/> don't support TLS 1.1 and
>     mozilla.com <http://mozilla.com/> doesn't support TLS 1.2.
>
>
> Note that this isn't the kind of downgrade that TLS_FALLBACK_SCSV is 
> about.
>
> All of the above sites, and indeed most TLS 1.0 sites on the internet, 
> will properly negotiate the supported protocol version. That is, the 
> client can send a Client Hello advertising support for TLS 1.2, and 
> the server will directly respond with a Server Hello selecting TLS 1.0 
> or TLS 1.1. There's no fallback retry in which the client adjusts its 
> advertised protocol version, and thus no need to send TLS_FALLBACK_SCSV.

The reality of the Internet today is that TLS 1.1 is viewed as 
acceptable. Clients treating TLS 1.1 treating it this way too. The draft 
*requires* to introduce a rejection of TLS 1.1 connection on the server 
when the server detects the downgrade.

My point is that downgrades from TLS1.0 to SSL3.0 is one thing but from 
TLS1.3 to TLS1.2 is another.

>
> Also, even if the client *does* retry with a lower protocol version 
> (TLS 1.1 with TLS_FALLBACK_SCSV, or eventually TLS 1.0 with 
> TLS_FALLBACK_SCSV), such as because the initial handshake failed due 
> to some network glitch, these servers would still accept the new 
> handshakes according to the TLS_FALLBACK_SCSV specification. The spec 
> only requires them to reject Client Hellos with TLS_FALLBACK_SCSV if 
> the advertised protocol version is *lower* than the maximum protocol 
> version supported by the client.

If the server supports TLS1.2 and the server sees TLS1.1+SCSV, the 
server MUST fail with inappropriate_fallback. Isn't this is what section 
3 says?

>
>     I propose the following change that allows to do exactly what rev
>     -00 says, but now enables more tolerant server behaviour.
>
>
> As discussed above, I don't see any problem that this change would 
> address.
>
> The spec intentionally gives exact rules for server-side behavior, 
> allowing the *clients* to fully drive the fallback strategy and 
> determine when it's OK to fall back to an earlier protocol version and 
> when it's not (with no server-side heuristics involved).

Servers are often independent nodes on the Internet. Servers may have 
their own policy regarding when it's appropriate to reject a connection 
and, in general, what are the security implications of the version 
downgrade is.

Today, latest popular browsers will happily connect to a SSL3.0 server 
without any indication to a user.

>
> Bodo
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email