Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice

Eric Rescorla <ekr@rtfm.com> Sat, 28 November 2020 02:54 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18BB13A0B23 for <tls@ietfa.amsl.com>; Fri, 27 Nov 2020 18:54:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.396
X-Spam-Level:
X-Spam-Status: No, score=-1.396 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, GB_ABOUTYOU=0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zJ2X8z_o1vAS for <tls@ietfa.amsl.com>; Fri, 27 Nov 2020 18:54:22 -0800 (PST)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B87003A0B25 for <tls@ietf.org>; Fri, 27 Nov 2020 18:54:21 -0800 (PST)
Received: by mail-lf1-x12a.google.com with SMTP id j205so9612199lfj.6 for <tls@ietf.org>; Fri, 27 Nov 2020 18:54:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wdQE4wcTpdrQjR3hS+yl6uuXNGeSVYiLPz1eAg32OIk=; b=C9kpSt6Dfimj3NUdYX75rkn8DNBNiAH2P6gKzeh7yrtCNa0heBKc/82/Y9O5hz0uuk GTCcF54+Iq4NcKcBGMo/aNHZ9AAnlv5eEqfmGddn6hJSAuk8kWDovYnJC4+vzXOxe+Hh j+5FkuC8emXKM+YKy8ZB5IW9rQ/0BqaGKUkTfev7/GlcVd4k55sAZiNE+vWnG69NbGvH hCZimNUJetk8hl9cvvbOGT9in3q7pDlAci7fBWiJA0XNexl1+2vDgapJFr0sKlBHOmnC hxFWGr6BqOHmAlCjbp+PWjehxMeeH5qXKoWir34gEK5BN8SUM4zUAoSGiC9ooF5LcdMd bfhg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wdQE4wcTpdrQjR3hS+yl6uuXNGeSVYiLPz1eAg32OIk=; b=TDyWxxJ4aE88GH1jwIGkkkDnXOoya04lbjTYPbUBOrwqK5ZDFCW3K0FuoGcapf1uSO 3EMFWrFqvkmbEboOSx/DXykQ7D//LEqHsmjt9z1VrZZJyYjjfqRMGgqlZhk+V4hADIc7 VtSyserO+Xd7b8RCBRMHNmdxHgajy4HhjzsMNgWzT7MrVh0ssmNAbFOAAiRS3d1qA/hs Lx4S4EJYdMj6wu4fLzFrIFWqL3G4CjTRgK11e5aQrjeZj1KtO+KKhf/GkybaxuxeaIHu Ta2ynhfgTnp6ZO/IRTlhFLpf0ikLar6zn/zgtvB5QkL+/yOGev2e5a5Fy6xhC2onmXbF oITQ==
X-Gm-Message-State: AOAM5335eGPZ+I6PK5ubKLt+FzbWv+ivzGux02X+1DxxjgVmqhyR6eX5 rQBzPAyXvnJVY2Qk5Bbdycv7u7zSNCCYec2L462lOn2dxpgODVtN
X-Google-Smtp-Source: ABdhPJzRAOrG+O72ejnpOOMnBWXDE1o1ovB7NzsxptX2/7trLMRVPrh91dnNG0XD5+jdABzP8mBfT54tD9kBIDBdKmE=
X-Received: by 2002:a05:6512:368a:: with SMTP id d10mr5003664lfs.579.1606532059407; Fri, 27 Nov 2020 18:54:19 -0800 (PST)
MIME-Version: 1.0
References: <160496076356.8063.5138064792555453422@ietfa.amsl.com> <49d045a3-db46-3250-9587-c4680ba386ed@network-heretics.com>
In-Reply-To: <49d045a3-db46-3250-9587-c4680ba386ed@network-heretics.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 27 Nov 2020 18:53:43 -0800
Message-ID: <CABcZeBPCccfDuGyZC-y88-dapjWYy57YRWWK3vsFOGM5Bxa+8Q@mail.gmail.com>
To: Keith Moore <moore@network-heretics.com>
Cc: last-call@ietf.org, draft-ietf-tls-oldversions-deprecate@ietf.org, tls-chairs <tls-chairs@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b8c3eb05b521e462"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/N_a6hqoIOqCGmvKSOHyRB9a99IQ>
Subject: Re: [TLS] [Last-Call] Last Call: <draft-ietf-tls-oldversions-deprecate-09.txt> (Deprecating TLSv1.0 and TLSv1.1) to Best Current Practice
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Nov 2020 02:54:25 -0000

Keith,

Thanks for your note. Most of the general points you raise here were
discussed
when the TLS WG decided to move forward with this draft [0], though
perhaps some of that is not reflected in the text. Of course that
doesn't make this points invalid, so I'll try to summarize my
view of the rationale here.

Your primary objection seems to be this has the effect of creating
interop problems for older implementations that are unable to
upgrade. This is of course true, however I think there are a number of
factors that outweight that.

First, while certainly is problematic that people who have
un-upgraded endpoints will find they cannot connect to modern endpoints,
we have to ask what is best for the ecosystem as a whole, and IMO what
is best for that ecosystem is to upgrade to modern protocols. This
would be true in any case, but is doubly true in the case of COMSEC
protocols: What we want is to be able to guarantee a certain mimimal
level of security if you're using TLS, but having weaker versions in
play makes that hard, and not just for the un-upgraded people because
we need to worry about downgrade attacks. While we have made efforts
to protect against downgrade, the number of separate interacting
versions makes this very difficult to analyze and ensure, and so the
fewer versions in play the easier this is. Asking everyone else to
bear these costs in terms of risk, management, complexity, etc. so
that a few people don't have to upgrade seems like the wrong tradeoff.

Second, it's not clear to me that we're doing the people who have
un-upgraded endpoints any favors by continuing to allow old versions
of TLS. As a practical matter any piece of software which is so old
that it does not support TLS 1.2 quite likely has a number of security
defects (whether in the TLS stack or elsewhere) that make it quite
hazardous to connect to any network which might have attackers on it,
which, as RFC 3552 reminds us, is any network. Obviously, people have
to set their own risk level, but that doesn't mean that we have to
endorse everything they want to do.

Finally, as is often said, we're not the protocol police, so we can't
make anyone turn off TLS < 1.2. However, we need to make the best
recommendation we can, and that recommendation is that people should
not use versions prior to TLS 1.2. If people choose not to comply,
that's of course their right. We were certainly aware at the time
this document was proposed that some people would take longer than
others to comply, but the purpose was to move the ecosystem in the
right direction, which is to say TLS >= 1.2. I believe that a MUST
is more effective than a SHOULD here.

-Ekr

P.S. A few specific notes about your technical points here:

> But some of those embedded devices do support TLS, even if it's old
> TLS (likely with self-signed certs... TLS really wasn't designed to
> work with embedded systems that don't have DNS names.)

This is not correct. TLS takes no position at all on how servers
are authenticated. It merely assumes that there is some way to
validate the certificate and outsources the details to application
bindings. For instance, you could have an IP address cert.


> For newer interactive clients I believe the appropriate action when
> talking to a server that doesn't support TLS >= 1.2 is to (a) warn
> the user, and (b) treat the connection as if it were insecure.  (so
> no "lock" icon, for example, and the usual warnings about submitting
> information over an insecure channel.)

I'm not sure what clients you're talking about, but for the clients
I am aware of, this would be somewhere between a broken experience
and an anti-pattern. For example, in Web clients, because the origin
includes the scheme, treating https:// URIs as http:// URIs will have
all sorts of negative side effects, such as making cookies unavailable
etc. For non-Web clients such as email and calendar, having any
kind of overridable warning increases the risk that people will
click through those warnings and expose their sensitive information
such as passwords, which is why many clients are moving away from
this kind of UI.



[0] The minutes are typically sketchy but you can see that people
were concerned about endpoints having trouble upgrading:
https://datatracker.ietf.org/meeting/102/materials/minutes-102-tls-11

On Fri, Nov 27, 2020 at 4:45 PM Keith Moore <moore@network-heretics.com>
wrote:

> While I agree that TLSv1.0 and TLSv1.1 should be avoided as much as
> possible, I believe this document fails to consider that there are old
> systems that are still in use that cannot be upgraded.   Strict
> implementation of the MUST NOT rules in this document can even prevent
> those systems from being upgraded at all, even when upgrades are
> available.   Strict implementation of the MUST NOT rules in this document
> can also make old embedded systems with built-in servers effectively
> unusable or require the operators of such systems to disable TLS entirely.
>
> In general, it should not be assumed that old systems can be upgraded, or
> that old systems are feasibly replaced with newer systems.   There are
> several reasons for that.
>
>    - One is that operating system vendors sometimes stop supporting old
>    hardware, and client or server software vendors stop supporting old
>    operating systems.
>    - Some platforms are certified for medical use with specific versions
>    of operating systems for which OS or software upgrades would require
>    recertification, and the manufacturers of such systems do not always
>    recertify their platforms with the latest operating systems.
>    - Some embedded systems either do not have provision for firmware
>    upgrades and/or are operated on disconnected networks so that upgrades are
>    cumbersome (and may violate company security policies); those products
>    sometimes do not have the option of firmware updates because there is no
>    revenue stream to support them and they wouldn't be used anyway.  And yet,
>    it's common for embedded systems to be configured, queried, or monitored
>    using HTTP[S].
>    - I have also worked on products for manufacturing environments for
>    which upgrades were forbidden; any firmware upgrade would have required
>    shutting down the assembly line for days and retesting the whole thing.
>    - Finally, sometimes software or firmware "upgrades" take away
>    functionality present in earlier versions, so that the "upgrade" may make
>    that computer useless for its intended purpose.
>
> In general, there are two kinds of problems caused by disabling of TLS
> 1.0/1.1 in implementations:
>
> 1. Old clients cannot talk to newer servers
>
> Again, sometimes clients run on old machines that cannot be upgraded or
> replaced.   When servers refuse to support old TLS versions, an old client
> may refuse to work at all.   It is not always feasible to download the same
> file from a different machine or different client program.
>
> I have seen this happen when trying to upgrade some software on an old
> MacBook Pro.   The software I was trying to download could only be
> downloaded from Apple using Safari on a Mac.   Apple's server would not use
> a version of TLS compatible with the old version of Safari I had, and there
> were no upgrades to that version of Safari.  I tried downloading the
> software from another (non-Apple) computer; the server would not let me do
> so.   I didn't have a more current Mac to use, didn't wish to buy one, and
> the pandemic made using someone else's Mac infeasible.
>
> The best idea I came up with was to set up a web proxy that supported more
> recent versions of TLS, and configure Safari to communicate via that web
> proxy.   But I never found time to do that.
>
> I'm not saying the RFC should be fixed for me, but rather, that I've
> personally experienced a situation that many other people undoubtedly have
> experienced and will experience after publication of this RFC.  (Some
> servers are already following these recommendations.)
>
> I have also worked with systems operated by a major petroleum producer
> (who will remain unamed) who had (unsurprisingly) very elaborate security
> measures.   Their internal networks were inaccessible from outside systems
> except via multiple layers of remote desktop.  So any client software to be
> used had to be software already vetted and installed on their internal
> machines.   But presumably because of the difficulty of vetting new
> software, the only browser available was MSIE 5 [don't remember which
> version of Windows].   (I know this because I had to update product
> software to use GIF files instead of PNG, add some JS polyfills, and avoid
> some HTML5 features, in order to be compatible with their browsers).   I
> cite this only as another example that one cannot reasonably expect all
> client and server to be current, or even nearly so.
>
> In some of these cases (when the client cannot be upgraded) an appropriate
> remedy may be to install a web proxy to allow the old client to communicate
> with the server.   Of course this can still come with risks, including
> perhaps exposure of the network traffic between the client and the web
> proxy.
>
> In other cases, server operators might do well to consider whether, for
> their specific users, services, and content, TLS >= 1.2  is really an
> appropriate constraint to impose.   For example the ietf.org web server
> is currently supporting older versions of TLS in order to make IETF
> documents as widely available as possible, even on legacy systems.  IMO,
> that practice makes sense given IETF's mission and the fact that all of the
> documents on that server are intended to be publicly available.
>
> (though if other services besides document download are provided on the
> same server, particularly if they use password-over-TLS authentication,
> either requiring a higher version of TLS for those services, or hosting
> those services on a different server that does require >= TLS 1.2, might
> make good sense)
>
>
> 2. Newer clients cannot talk to old servers
>
> Perhaps naively, I assume that most servers reachable via the public
> Internet are upgradeable, and can/should be upgraded to support at least
> TLS 1.2.  Certainly I would recommend against  exposing any server to the
> public Internet, for which security upgrades are not routinely provided.
> So I'm *not* talking about those servers here.
>
> My concern here is with embedded systems that support HTTPS for
> configuration, monitoring, or control of industrial hardware.   The
> security concerns are both very real (monitoring/controlling vital
> manufacturing or infrastructure and/or with potential risk to human lives)
> and often (unfortunately) not given proper regard.   Frankly, most
> operators of such systems probably use (non-TLS) HTTP or other cleartext
> interfaces to configure, monitor, and/or control such devices, and rely on
> the illusion of a completely disconnected network to let them sleep at
> night.   But some of those embedded devices do support TLS, even if it's
> old TLS (likely with self-signed certs... TLS really wasn't designed to
> work with embedded systems that don't have DNS names.)   Again, upgrades
> may be unavailable, or infeasible, for many of these embedded devices.
>
> Client programs in such environments may be a mixture of web browsers
> and/or dedicated special-purpose clients (which may be interactive or
> non-interactive) or proxies (e.g. to adapt a proprietary interface to
> something like OPC-UA).   If the client can just keep using old systems
> with old web browsers, they can keep using those browsers to
> control/configure/monitor those embedded devices, but if the client system
> is replaced with newer hardware and a newer OS and browser, this may
> fail.   For special-purpose clients the situation is slightly different -
> the vendors of those clients will presumably be aware of the limitations of
> the embedded systems they talk to - but deprecating TLS 1.0 and 1.1 from
> libraries may make support more difficult.
>
> For newer interactive clients I believe the appropriate action when
> talking to a server that doesn't support TLS >= 1.2 is to (a) warn the
> user, and (b) treat the connection as if it were insecure.  (so no "lock"
> icon, for example, and the usual warnings about submitting information over
> an insecure channel.)
>
> For newer non-interactive clients an appropriate action might be to permit
> the client to refuse TLS < 1.2 by default but be explicitly configurable to
> use earlier versions.
>
> For web browsers, the use of browser plugins might permit the occasional
> use of TLS < 1.2 (since most users won't need it) without the increased
> attack surface for every user.   A web proxy might also work as a solution
> for web browsers and some other http clients.
>
>
> 3.  Fixes to the draft
>
> I believe the draft needs to explicitly discuss some of these cases, and
> suggest workarounds for such cases, rather than simply say "MUST NOT".
> IMO the best result from saying "MUST NOT" is that IETF security documents
> will be more likely to be disregarded since they're making poor
> recommendations for many cases.   That's not good, but worse results are
> also possible, including that the effect of these recommendations will be
> to actually reduce security for many operations, at least in the short term.
>
> I realize that "MUST NOT" is attractive because it is simple and clear
> language, and that "SHOULD NOT" (even though it's the right language per
> 2119 definitions) may be seen as allowing too much weasel room.   I'm not
> sure how best to address that.   "MUST NOT... except..." could also be
> confusing.   Saying "MUST NOT" but also discussing exceptions in the
> document may be seen as conflicting or confusing.   I don't have a strong
> opinion about how to resolve that dilemma, but I do think some exceptional
> cases should be acknowledged somehow.   (or maybe in a separate RFC?)
>
> There are probably other cases that I haven't considered.  It's easy to
> make the mistake of assuming that every application that uses TLS is like
> the web (e.g. interactive), but of course that's not the case.    The Right
> Thing to do for an SMTP client relaying mail, for example, is probably to
> use the highest TLS version supported by the server, rather than disconnect
> the SMTP session and resend the message as cleartext.    Even SSL 1.0 seems
> better than cleartext in that case.   Of course, the client could bounce
> the message, but given that the common expectation is that mail will be
> relayed in cleartext if necessary, bouncing seems like the Wrong Thing to
> do absent an originator-specified requirement for hop-by-hop encryption.
>
> Similarly if a user is trying to read his/her mail from an old mobile
> phone, should that user's ability to read mail cease to work because the
> mail server now requires TLS 1.2 or better?    Old phones don't necessarily
> have upgrades available.   And while a lot of cellular networks actively
> encourage upgrading of old phones by pessimizing their service (newer
> phones may make better use of radio bandwidth and/or support more
> frequencies), I am not in a position to say what works for the entire
> world.   I have heard that old phones are still usable, and in demand, in
> many countries.
>
>
> 4.  Future
>
> This is out of scope for this draft, but I also believe that these kinds
> of compatibility issues may need to be analyzed every time the IETF
> recommends to deprecate something.
>
>
> Keith
>
> --
> last-call mailing list
> last-call@ietf.org
> https://www.ietf.org/mailman/listinfo/last-call
>