Re: [TLS] 2nd WGLC: draft-ietf-tls-downgrade-scsv

Bodo Moeller <bmoeller@acm.org> Wed, 26 November 2014 09:36 UTC

Return-Path: <bmoeller@acm.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 852001A86EE for <tls@ietfa.amsl.com>; Wed, 26 Nov 2014 01:36:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.262
X-Spam-Level:
X-Spam-Status: No, score=-0.262 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3NHo8xwxEkCk for <tls@ietfa.amsl.com>; Wed, 26 Nov 2014 01:36:02 -0800 (PST)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.131]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 191BA1A702F for <tls@ietf.org>; Wed, 26 Nov 2014 01:36:01 -0800 (PST)
Received: from mail-ob0-f182.google.com (mail-ob0-f182.google.com [209.85.214.182]) by mrelayeu.kundenserver.de (node=mreue007) with ESMTP (Nemesis) id 0MDa6j-1XhC8B0MST-00GqSQ; Wed, 26 Nov 2014 10:35:58 +0100
Received: by mail-ob0-f182.google.com with SMTP id m8so1888514obr.13 for <tls@ietf.org>; Wed, 26 Nov 2014 01:35:54 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.182.79.10 with SMTP id f10mr19845426obx.4.1416994554664; Wed, 26 Nov 2014 01:35:54 -0800 (PST)
Received: by 10.60.32.42 with HTTP; Wed, 26 Nov 2014 01:35:54 -0800 (PST)
In-Reply-To: <8FB8D433-184E-41DA-8DBD-E929B9E8E9C2@ieca.com>
References: <8FB8D433-184E-41DA-8DBD-E929B9E8E9C2@ieca.com>
Date: Wed, 26 Nov 2014 10:35:54 +0100
Message-ID: <CADMpkcJWWfEQG-RTAJx-CPr3AONDFO1Bz2FK9RfH2gQsyvEYPw@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="047d7b2e40141460ef0508bfc1a7"
X-Provags-ID: V02:K0:XiTXdvJL3X1Tlot/HRPsFlpwW47c/P23mHfRWUPaWxl V/jm5W9MVfOSWQOhAAyp56l7c3skoAEz9Z3ZjE55Q0UXjxzUor 1edi/IecCt8NTICByTBjS709AkvRc3e0S1oVvNZdxRyYMD48G3 Cy5tnrWwb5+mLqsAYgE6Yk/2TzBYvLLkpQKEVfAZCnhU3Vyxc2 3V5ZjnWP0UDJKfkUW1MPoxrm8DgUSnE25AdMJ1YFmNdJVA2DLs +P8gYX44+L8EmAefaZC+bez3ZoHs8MGoOuajsUxNuPk6nV3lLx IacYuukmWWZJBUbgrM/P1nl48ZpS+rZoRemaYm4o7aD9QKffpi eSRzsuDj8kIMN8YnuHd44RCmijq0R6XS8dh0UUhKUtOSVfba68 e896PrqEDeG6lqHrhmdh/Yrj5uJoRqLXJ06oUWYBtTB93PTmnF DCc4t
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/NOH1TR1caLyhxQsH62JqOjs-zZo
Subject: Re: [TLS] 2nd WGLC: draft-ietf-tls-downgrade-scsv
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Nov 2014 09:36:05 -0000

Sean Turner <turners@ieca.com>:

This message initiates the 2nd WGLC for draft-ietf-tls-downgrade-scsv-02.
>  Please review the document and send your comments to the list by Friday,
> December 12, 2014.
>
> [...]  The scope of this WGLC is however limited to making sure that the
> text that has been added represents WG consensus.  For example, rehashing
> whether the documented solution should use an extension or cipher suite is
> not in scope of this review.
>

The relevant part from the IETF-91 minutes (
http://www.ietf.org/proceedings/91/minutes/minutes-91-tls)

        Downgrading SCSV
                Very close to finished with WG LC
                Martin Thompson: still questions of how the step-by-step is done
                        Maybe specify what version you tried and failed
                Andrei Popov: Would like this to be an extension
                Ekr (Eric Rescorla): There are only a few things, so
we can just make a few SCSV
                Martin: Already shipped, and is willing to live with
the current limitations
                Ekr: Are we going to break IE if we support this? That
would suck
                Andrei: Can live with the current draft
                Martin: Their numbers show the step-by-step is stupid
                Joe Salowey: Will be another WG LC on this
                More people mentioned other weird cases

The question of doing a step-by-step downgrade or not (as mentioned in
the above) has come up on the list too:

http://www.ietf.org/mail-archive/web/tls/current/msg14579.html
http://www.ietf.org/mail-archive/web/tls/current/msg14591.html
http://www.ietf.org/mail-archive/web/tls/current/msg14596.html

As discussed there, trying protocol version in non-consecutive order
isn't strictly disallowed by or impossible with
draft-ietf-tls-downgrade-scsv-02, although I personally do think that
it is a bad tradeoff and doing a step-by-step downgrade is not stupid
-- see also https://www.ietf.org/jabber/logs/tls/2014-11-13.html:

[19:13:16] <https://www.ietf.org/jabber/logs/tls/2014-11-13.html#19:13:16.934945>
<Bodo Moeller> MIC: If the server does not support the SCSV and you
fall back by accident (network glitch), falling back to TLS 1.1 is
better than to TLS 1.0.

As mentioned before, the point of draft-ietf-tls-downgrade-scsv-02 is
not to specify that or how clients should be doing fallbacks (ideally,
there'd never be a need to), since this involves moving targets --
broken servers --, and all fallback connection attempts will be
equally useless with servers that are current and correct.

The point of this specification is to provide a simple and
easy-to-deploy mechanism to help avoid downgrade attacks *if* clients
choose to fall back to improve interoperability with broken servers. A
detailed discussion of whether and how to fall back necessarily
depends on the deployment status of legacy servers with a specific
application protocol, and so is subject to change across space and
time, and much more complex than would be appropriate for
draft-ietf-tls-downgrade-scsv-02. The UTA WG is considering to create
a BCP document on the fallback dance; see
http://www.ietf.org/proceedings/91/minutes/minutes-91-uta for details.

Bodo