Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv
Marsh Ray <maray@microsoft.com> Mon, 03 February 2014 22:08 UTC
Return-Path: <maray@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B92371A0264 for <tls@ietfa.amsl.com>; Mon, 3 Feb 2014 14:08:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xxrn35hFvWEm for <tls@ietfa.amsl.com>; Mon, 3 Feb 2014 14:08:13 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0244.outbound.protection.outlook.com [207.46.163.244]) by ietfa.amsl.com (Postfix) with ESMTP id 09ECC1A01EE for <tls@ietf.org>; Mon, 3 Feb 2014 14:08:12 -0800 (PST)
Received: from BY2PR03MB075.namprd03.prod.outlook.com (10.255.241.155) by BY2PR03MB207.namprd03.prod.outlook.com (10.242.36.154) with Microsoft SMTP Server (TLS) id 15.0.868.8; Mon, 3 Feb 2014 22:08:11 +0000
Received: from BY2PR03MB074.namprd03.prod.outlook.com (10.255.241.154) by BY2PR03MB075.namprd03.prod.outlook.com (10.255.241.155) with Microsoft SMTP Server (TLS) id 15.0.868.8; Mon, 3 Feb 2014 22:08:10 +0000
Received: from BY2PR03MB074.namprd03.prod.outlook.com ([169.254.12.135]) by BY2PR03MB074.namprd03.prod.outlook.com ([169.254.12.135]) with mapi id 15.00.0868.013; Mon, 3 Feb 2014 22:08:09 +0000
From: Marsh Ray <maray@microsoft.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv
Thread-Index: AQHPGCLZFw5frHTkQUeKTyOugTzg05qfF16AgAUP55A=
Date: Mon, 03 Feb 2014 22:08:09 +0000
Message-ID: <81674f0435c74985a8ad48a55f5c27fa@BY2PR03MB074.namprd03.prod.outlook.com>
References: <CABcZeBP_-MUonYYsxgz2ZdokiEDVhx4mYq1a4BMayuGbbxb2Gg@mail.gmail.com> <FEDDEC3D-D8F7-4DC6-83D4-CD001DAA9B70@vigilsec.com>
In-Reply-To: <FEDDEC3D-D8F7-4DC6-83D4-CD001DAA9B70@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:ee31::2]
x-forefront-prvs: 01110342A5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(164054003)(189002)(199002)(53806001)(4396001)(87936001)(76786001)(81816001)(81686001)(85852003)(87266001)(85306002)(92566001)(83072002)(46102001)(51856001)(2656002)(76796001)(77096001)(561944002)(54356001)(19580395003)(80976001)(83322001)(76576001)(15975445006)(47976001)(50986001)(47736001)(76482001)(49866001)(93516002)(90146001)(56816005)(74366001)(65816001)(80022001)(74876001)(94316002)(47446002)(79102001)(74662001)(15202345003)(74502001)(86362001)(93136001)(81542001)(31966008)(54316002)(56776001)(94946001)(33646001)(59766001)(77982001)(74706001)(81342001)(63696002)(69226001)(74316001)(86612001)(3826001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB075; H:BY2PR03MB074.namprd03.prod.outlook.com; CLIP:2001:4898:80e8:ee31::2; FPR:BC76F00D.A4F8C1D7.BDF393EA.4433E94D.20311; InfoNoRecordsMX:1; A:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Subject: Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2014 22:08:17 -0000
Forgive me if this has been discussed before, sometimes I have trouble wrapping my head around all this version negotiation stuff. The draft http://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-01 states: > All unnecessary protocol downgrades are undesirable (e.g., from TLS > 1.2 to TLS 1.1 if both the client and the server actually do support > TLS 1.2); they can be particularly critical if they mean losing the > TLS extension feature (when downgrading to SSL 3.0). While this is certainly true, it is also 'undesirable' to increase the rate of spurious handshake failures for clients. So it's a lesser-of-two-evils tradeoff. Absent a plausible attack, an increased rate of total interop failure seems like the more tangible and quantifiable evil. So what's the attack that this SCSV is trying to solve? Could someone please give a scenario in which: A. The legitimate client supports ver > TLS 1.0. B. The attacker is able to trigger client fallback to ver <= TLS 1.0 C. *All* servers having the private key for a valid cert support ver > TLS 1.0. D. The attacker is able to exploit some weakness with the downgraded ver <= TLS 1.0 connection that he can *not* exploit in ver > TLS 1.0. E. The attacker is *not* able to actually impersonate the legitimate server over this downgraded (ver <= TLS 1.0) connection. Rationale: A. The value of this proposal comes when using post-TLS 1.0 aware clients. B. Obvs. C. The value of this proposal comes when using post-TLS 1.0 aware servers, but if any legitimate server only supports ver <= TLS 1.0, the attacker can forward the initial connection to that server. D. Otherwise, what would he gain by the downgrade? E. If the attacker could successfully impersonate the legitimate server over the downgraded connection, he would simply ignore the SCSV, right? I don't mean for this to sound like a rhetorical question, I'd just like to see what such a scenario would look like. I'm personally still on the fence about this one. Thanks, - Marsh -------------------------------- My personal opinions only, usual disclaimers apply.
- [TLS] Call for acceptance of draft-moeller-tls-do… Eric Rescorla
- Re: [TLS] Call for acceptance of draft-moeller-tl… Ben Laurie
- Re: [TLS] Call for acceptance of draft-moeller-tl… Adam Langley
- Re: [TLS] Call for acceptance of draft-moeller-tl… Kurt Roeckx
- Re: [TLS] Call for acceptance of draft-moeller-tl… Adam Langley
- Re: [TLS] Call for acceptance of draft-moeller-tl… Rob Stradling
- Re: [TLS] Call for acceptance of draft-moeller-tl… Adam Langley
- Re: [TLS] Call for acceptance of draft-moeller-tl… Rob Stradling
- Re: [TLS] Call for acceptance of draft-moeller-tl… Adam Langley
- Re: [TLS] Call for acceptance of draft-moeller-tl… Michael D'Errico
- Re: [TLS] Call for acceptance of draft-moeller-tl… Martin Thomson
- Re: [TLS] Call for acceptance of draft-moeller-tl… Bodo Moeller
- Re: [TLS] Call for acceptance of draft-moeller-tl… Martin Rex
- Re: [TLS] Call for acceptance of draft-moeller-tl… Ben Laurie
- Re: [TLS] Call for acceptance of draft-moeller-tl… Kurt Roeckx
- Re: [TLS] Call for acceptance of draft-moeller-tl… Martin Rex
- Re: [TLS] Call for acceptance of draft-moeller-tl… Daniel Kahn Gillmor
- Re: [TLS] Call for acceptance of draft-moeller-tl… Salz, Rich
- Re: [TLS] Call for acceptance of draft-moeller-tl… Geoffrey Keating
- Re: [TLS] Call for acceptance of draft-moeller-tl… Martin Rex
- Re: [TLS] Call for acceptance of draft-moeller-tl… Martin Rex
- Re: [TLS] Call for acceptance of draft-moeller-tl… Watson Ladd
- Re: [TLS] Call for acceptance of draft-moeller-tl… Martin Rex
- Re: [TLS] Call for acceptance of draft-moeller-tl… Bodo Moeller
- Re: [TLS] Call for acceptance of draft-moeller-tl… Yoav Nir
- Re: [TLS] Call for acceptance of draft-moeller-tl… Daniel Kahn Gillmor
- Re: [TLS] Call for acceptance of draft-moeller-tl… Watson Ladd
- Re: [TLS] Call for acceptance of draft-moeller-tl… Bill Frantz
- Re: [TLS] Call for acceptance of draft-moeller-tl… Yoav Nir
- Re: [TLS] Call for acceptance of draft-moeller-tl… Watson Ladd
- Re: [TLS] Call for acceptance of draft-moeller-tl… Yngve N. Pettesen
- Re: [TLS] Call for acceptance of draft-moeller-tl… Bodo Moeller
- Re: [TLS] Call for acceptance of draft-moeller-tl… Bodo Moeller
- Re: [TLS] Call for acceptance of draft-moeller-tl… Martin Rex
- Re: [TLS] Call for acceptance of draft-moeller-tl… Martin Rex
- Re: [TLS] Call for acceptance of draft-moeller-tl… Michael D'Errico
- Re: [TLS] Call for acceptance of draft-moeller-tl… Michael D'Errico
- Re: [TLS] Call for acceptance of draft-moeller-tl… Adam Langley
- Re: [TLS] Call for acceptance of draft-moeller-tl… Bodo Moeller
- Re: [TLS] Call for acceptance of draft-moeller-tl… Martin Rex
- Re: [TLS] Call for acceptance of draft-moeller-tl… Adam Langley
- Re: [TLS] Call for acceptance of draft-moeller-tl… Andrei Popov
- Re: [TLS] Call for acceptance of draft-moeller-tl… Andrei Popov
- Re: [TLS] Call for acceptance of draft-moeller-tl… Adam Langley
- Re: [TLS] Call for acceptance of draft-moeller-tl… Martin Rex
- Re: [TLS] Call for acceptance of draft-moeller-tl… Watson Ladd
- Re: [TLS] Call for acceptance of draft-moeller-tl… Bodo Moeller
- Re: [TLS] Call for acceptance of draft-moeller-tl… Bodo Moeller
- Re: [TLS] Call for acceptance of draft-moeller-tl… t.petch
- Re: [TLS] Call for acceptance of draft-moeller-tl… Andrei Popov
- Re: [TLS] Call for acceptance of draft-moeller-tl… Yoav Nir
- Re: [TLS] Call for acceptance of draft-moeller-tl… Andrei Popov
- Re: [TLS] Call for acceptance of draft-moeller-tl… Adam Langley
- Re: [TLS] Call for acceptance of draft-moeller-tl… Watson Ladd
- Re: [TLS] Call for acceptance of draft-moeller-tl… Adam Langley
- Re: [TLS] Call for acceptance of draft-moeller-tl… Martin Rex
- Re: [TLS] Call for acceptance of draft-moeller-tl… Joseph Salowey (jsalowey)
- Re: [TLS] Call for acceptance of draft-moeller-tl… Russ Housley
- Re: [TLS] Call for acceptance of draft-moeller-tl… Marsh Ray
- Re: [TLS] Call for acceptance of draft-moeller-tl… Eric Rescorla
- Re: [TLS] Call for acceptance of draft-moeller-tl… Bodo Möller
- Re: [TLS] Call for acceptance of draft-moeller-tl… Yngve N. Pettersen