Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard

Bodo Moeller <> Thu, 22 January 2015 16:47 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A412A1A1ACA for <>; Thu, 22 Jan 2015 08:47:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.938
X-Spam-Status: No, score=-0.938 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id inIYqDnI8YXr for <>; Thu, 22 Jan 2015 08:47:21 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C98DB1A1AD2 for <>; Thu, 22 Jan 2015 08:47:20 -0800 (PST)
Received: from ([]) by (mreue005) with ESMTPSA (Nemesis) id 0M5Ksl-1XVjZZ0Otj-00za7u for <>; Thu, 22 Jan 2015 17:47:18 +0100
Received: by with SMTP id l4so2554388lbv.13 for <>; Thu, 22 Jan 2015 08:47:17 -0800 (PST)
MIME-Version: 1.0
X-Received: by with SMTP id uh2mr2821775lbb.92.1421945237615; Thu, 22 Jan 2015 08:47:17 -0800 (PST)
Received: by with HTTP; Thu, 22 Jan 2015 08:47:17 -0800 (PST)
In-Reply-To: <>
References: <> <>
Date: Thu, 22 Jan 2015 17:47:17 +0100
Message-ID: <>
From: Bodo Moeller <>
To: "" <>
Content-Type: multipart/alternative; boundary="047d7b34329cc73b74050d406c9e"
X-Provags-ID: V03:K0:+RDOUv+p791plXBAJPYTErBjomMwZOb7ZcYHMFASTRB44larIY1 u4t0IYMSZx7VuKwRdmmzETBZ3ka6KQE+l2Oh2HVh3ZlBkD7aGJAnxDzB18c5F5xaEfPse7B oAhILyJ+carxpitfIH04UGl15cdCybY6bBHMYxH/6rT4jPUpoJ1a6eEAHeG/RNZb5Ne+avF JSR8LUVqDqyTROqYhRi9Q==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 22 Jan 2015 16:59:36 -0000

Martin Rex <>:

> But for the security of the typical web browser, and I'm not currently
> aware of any TLS clients other than web browsers that are doing
> downgrade dances.  I'm not seeing a measurable benefit from fallback-scsv.
> The real problem, that is a prerequisite to Browser attacks like Poodle
> (and BEAST and CRIME predecessors) are
>    1) a browsers aggressive willingness to execute *ANYTHING* from
>       *ANYWHERE* that looks like active content
>    2) provisioning of a cross-site-request-forgery (CSRF) facility,
>       where the browser will share/insert the user's authentication
>       credentials into *EVERY* GET/POST, irrespective where that
>       request originates

> When (ab)using the browsers CSRF facility directly, rather than for noisy
> and boring Poodle, it will be sufficient to piggy-back one single arbitrary
> page that the user's browsers happens to load (or can be lured to load).

Yes and no.  While it is certainly true that this is an unfortunate problem
with the protocols that browsers use today, the kind of cross-site request
forgery that you describe is commonly prevented by adding appropriate
additional verification tokens (that the attacker couldn't obtain or
predict or otherwise caused to be added) into legitimate requests,
supplementing the credentials (such as HTTP basic authentication passwords
or HTTP cookies) that would also go into the requests caused by the
attacker.  (Often enough, of course, the need for such protection is
missed, or tokens are added but not verified, etc.)

With such protection in place, browsers attacks like BEAST and POODLE can
undermine the security you'd otherwise achieve.  So in the reality of the
web today, browser attacks like BEAST and POODLE *are* relevant if they are
possible.  You might wish that this wasn't the case, but there's certainly
no near-term resolution of the basic CSRF issues in sight.

[As an aside, note that the "cross-site" jump may be only from to if we assume that
the attacker controls the network, so it's a "cross--web-origin" attack
rather than a "cross-site" attack.]