Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
Bodo Moeller <bmoeller@acm.org> Thu, 22 January 2015 16:47 UTC
Return-Path: <SRS0=bNxw=CJ=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A412A1A1ACA for <tls@ietfa.amsl.com>; Thu, 22 Jan 2015 08:47:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.938
X-Spam-Level:
X-Spam-Status: No, score=-0.938 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id inIYqDnI8YXr for <tls@ietfa.amsl.com>; Thu, 22 Jan 2015 08:47:21 -0800 (PST)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.130]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C98DB1A1AD2 for <tls@ietf.org>; Thu, 22 Jan 2015 08:47:20 -0800 (PST)
Received: from mail-lb0-f182.google.com ([209.85.217.182]) by mrelayeu.kundenserver.de (mreue005) with ESMTPSA (Nemesis) id 0M5Ksl-1XVjZZ0Otj-00za7u for <tls@ietf.org>; Thu, 22 Jan 2015 17:47:18 +0100
Received: by mail-lb0-f182.google.com with SMTP id l4so2554388lbv.13 for <tls@ietf.org>; Thu, 22 Jan 2015 08:47:17 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.112.150.98 with SMTP id uh2mr2821775lbb.92.1421945237615; Thu, 22 Jan 2015 08:47:17 -0800 (PST)
Received: by 10.25.25.145 with HTTP; Thu, 22 Jan 2015 08:47:17 -0800 (PST)
In-Reply-To: <20150122061132.A0E441B111@ld9781.wdf.sap.corp>
References: <CADMpkc+o4buMKZfDyTtEthaVhbeF=Lyg08J=PQ8u+_+8syCp0A@mail.gmail.com> <20150122061132.A0E441B111@ld9781.wdf.sap.corp>
Date: Thu, 22 Jan 2015 17:47:17 +0100
Message-ID: <CADMpkc+bPdnM27W=Yv2d4=L4cmQoqGnbNJ+TKpb_7_HnMCKk-Q@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="047d7b34329cc73b74050d406c9e"
X-Provags-ID: V03:K0:+RDOUv+p791plXBAJPYTErBjomMwZOb7ZcYHMFASTRB44larIY1 u4t0IYMSZx7VuKwRdmmzETBZ3ka6KQE+l2Oh2HVh3ZlBkD7aGJAnxDzB18c5F5xaEfPse7B oAhILyJ+carxpitfIH04UGl15cdCybY6bBHMYxH/6rT4jPUpoJ1a6eEAHeG/RNZb5Ne+avF JSR8LUVqDqyTROqYhRi9Q==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/NfJNoFjPzrhHkqIJkGFpqkbhHt8>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jan 2015 16:59:36 -0000
Martin Rex <mrex@sap.com>: [...] > But for the security of the typical web browser, and I'm not currently > aware of any TLS clients other than web browsers that are doing > downgrade dances. I'm not seeing a measurable benefit from fallback-scsv. > > > The real problem, that is a prerequisite to Browser attacks like Poodle > (and BEAST and CRIME predecessors) are > > 1) a browsers aggressive willingness to execute *ANYTHING* from > *ANYWHERE* that looks like active content > > 2) provisioning of a cross-site-request-forgery (CSRF) facility, > where the browser will share/insert the user's authentication > credentials into *EVERY* GET/POST, irrespective where that > request originates > [...] > When (ab)using the browsers CSRF facility directly, rather than for noisy > and boring Poodle, it will be sufficient to piggy-back one single arbitrary > page that the user's browsers happens to load (or can be lured to load). > Yes and no. While it is certainly true that this is an unfortunate problem with the protocols that browsers use today, the kind of cross-site request forgery that you describe is commonly prevented by adding appropriate additional verification tokens (that the attacker couldn't obtain or predict or otherwise caused to be added) into legitimate requests, supplementing the credentials (such as HTTP basic authentication passwords or HTTP cookies) that would also go into the requests caused by the attacker. (Often enough, of course, the need for such protection is missed, or tokens are added but not verified, etc.) With such protection in place, browsers attacks like BEAST and POODLE can undermine the security you'd otherwise achieve. So in the reality of the web today, browser attacks like BEAST and POODLE *are* relevant if they are possible. You might wish that this wasn't the case, but there's certainly no near-term resolution of the basic CSRF issues in sight. [As an aside, note that the "cross-site" jump may be only from http://www.example.com/foo to https://www.example.com/bar if we assume that the attacker controls the network, so it's a "cross--web-origin" attack rather than a "cross-site" attack.] Bodo
- [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-0… The IESG
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Salz, Rich
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Stephen Farrell
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Stephen Farrell
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Hanno Böck
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yuhong Bao
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Adam Langley
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Andrei Popov
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Watson Ladd
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Brian Smith
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Jeffrey Walton
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yoav Nir
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Eric Rescorla
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Salz, Rich
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Colm MacCárthaigh
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yuhong Bao
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Salz, Rich
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Brian Smith
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Salz, Rich
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Xiaoyin Liu
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yoav Nir
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Xiaoyin Liu
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yoav Nir
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Xiaoyin Liu
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael D'Errico
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- [TLS] advertizing the minimum TLS supported versi… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Jeffrey Walton
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] advertizing the minimum TLS supported v… Michael Clark
- Re: [TLS] advertizing the minimum TLS supported v… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Hubert Kario
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Henrik Grubbström
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Henrik Grubbström
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Dave Garrett
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Eric Rescorla
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Henrik Grubbström
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Stephen Farrell
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex