Re: [TLS] Non-extension solutions (requirements)
Martin Rex <mrex@sap.com> Sun, 15 November 2009 21:30 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A98643A6A10 for <tls@core3.amsl.com>; Sun, 15 Nov 2009 13:30:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.206
X-Spam-Level:
X-Spam-Status: No, score=-5.206 tagged_above=-999 required=5 tests=[AWL=0.210, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4, SARE_OBFU_CODEINE=0.833]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id glMIwjOUmkSz for <tls@core3.amsl.com>; Sun, 15 Nov 2009 13:30:50 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 6472C3A6A07 for <tls@ietf.org>; Sun, 15 Nov 2009 13:30:50 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nAFLUiXe013590 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 15 Nov 2009 22:30:45 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911152130.nAFLUiIP022845@fs4113.wdf.sap.corp>
To: nelson@bolyard.me
Date: Sun, 15 Nov 2009 22:30:44 +0100
In-Reply-To: <4B00662E.1020506@bolyard.me> from "Nelson B Bolyard" at Nov 15, 9 12:35:58 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] Non-extension solutions (requirements)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2009 21:30:51 -0000
Nelson B Bolyard wrote: > > On 2009-11-14 19:46 PDT, Marsh Ray wrote: > > > > === R5. Not using an extension to implement the fix. > > > > Currently there are no examples of extensions used in a critical role > > between interoperable systems, even where there would be significant > > gain (financial and otherwise) from their use (e.g., SNI). An urgent > > security-critical bug fix is absolutely not the place for blazing new > > trails. > > > > It appears that somewhere between 20% and 40% of current SSL/TLS traffic > > is between systems that either preferred not to (or could not) use TLS > > 1.0 with extensions. > > The same logic kept some browsers from disabling SSLv2 for years. Flawed comparison. SSLv2 known security problems. SSLv3 does not. SSL renegotiation has a problem, but across the board from SSLv3 all the way to TLSv1.2. > > There will ALWAYS be companies who procrastinate as long as possible on > any software upgrades. Let's not let them dictate how we fix TLS. > Let's do the right thing here, even if it means forcing some to upgrade. That would be extremely poor engineering. We are perfectly able to provide a solution that can be applied to all protocol versions out there, SSLv3, TLSv1.0, TLSv1.1, TLSv1.2. Designing the fix so that adding it to SSLv3 is much harder than for TLSv1.2 is irresponsible. > > > === R6. The fix must work for SSLv3. > > What does that mean? > > - Does it mean devising a "fix" for SSLv3 that allows patched but still > SSLv3-only clients to safely renegotiate with patched but still SSLv3-only > servers? It means that secure renegotiation should also be used when both peers negotiation protocol version 0x03.0x00. If the fix does not do that, then the fix is not a fix, but another failure. > > That's what they said about SSL2. > > > Even software that does support newer versions of the protocol will > > often fall back to SSLv3 at the first sign of trouble. Any fix which > > does not address SSLv3 can simply be bypassed by the attacker > > I think you're assuming that the browsers will decide that continued > interoperability with the old vulnerable servers is more desirable that > being able to claim that their browsers are invulnerable to this attack. > I tend to assume the opposite. This is ridiculous. Browser vendors added the fallback renegotiation not because they had too much time on their hands. They wanted to use TLS extension SNI or newer TLS versions and encountered severe interop issues. The TLS WG can easily devise a fix for secure TLS renegotiation that will work even during the fallback, and that can be hotfixed into the entire installed base immediately with an extremely low probability of breaking interoperability. I also would try to get a client-side fix to our customers in 2-3 weeks if it does NOT use extensions. (we don't support renegotiation on the server, so adding the signaling to the initial Handshake is all I have to do for the server). If the TLS WG ships the TLS extension RI, then it will be several months before I will be shipping anything for the client side, because I first will need to think about solutions for the interop problems that will arise and how to make the client-side behaviour configurable (which requires changes to all applications). An extension-less Client->Server Signaling on initial handshake is something that I would risk shipping immediately without a configuration option, taking care about interop problems when they're reported. > > Now, that perception may be changing (may have already changed), a LOT. Huh? What are you refering to? Those that moved to newer implementations and started to rely on renegotiation in their Website structure are now the ones who suffer the most. > > > === R7. The fix must be easy to merge across existing code branches. > > Sorry, that presumes reasonable development practices have been followed > in the creation of those branches. I think this is at best a highly > desirable thing, not a requirement. That is a pretty significant and realistic requirement. In particular, if you have several different code lines providing different protocol levels of TLS, then a fix where 90% of the code changes is the same for all code lines is much better than one that needs to be individually developed for every codeline. Therefore devising the fix so that is requires minimal changes for the oldest implementation affected by this protocol defect (SSLv3) is the most reasonable approach to fixing that defect. > > > === R9. Must interoperate perfectly with unpatched systems. > > Again, what does that mean? > Does it mean that a patched client connects without hesitation to an > unpatched and vulnerable server, thereby falling victim to the attack? It means that if the fix is designed in a fashion that it can be used by clients at all protocol levels, even SSLv3 immediately with an extremely low probability of breaking existing usage scenarios (and that DOES INCLUDE servers that are still unpatched), then we will see by far the quickest adoption of the update. -Martin
- Re: [TLS] Non-extension solutions (requirements) Martin Rex
- [TLS] Non-extension solutions (requirements) Marsh Ray
- Re: [TLS] Non-extension solutions (requirements) Eric Rescorla
- Re: [TLS] Non-extension solutions (requirements) Eric Rescorla
- Re: [TLS] Non-extension solutions (requirements) Nelson B Bolyard
- Re: [TLS] Non-extension solutions (requirements) Marsh Ray
- Re: [TLS] Non-extension solutions (requirements) Nelson B Bolyard
- Re: [TLS] Non-extension solutions (requirements) Bodo Moeller
- Re: [TLS] Non-extension solutions (requirements) Bodo Moeller
- Re: [TLS] Non-extension solutions (requirements) Martin Rex
- Re: [TLS] Non-extension solutions (requirements) Marsh Ray
- Re: [TLS] Non-extension solutions (requirements) Bodo Moeller
- Re: [TLS] Non-extension solutions (requirements) Martin Rex
- Re: [TLS] Non-extension solutions (requirements) Marsh Ray
- Re: [TLS] Non-extension solutions (requirements) Bodo Moeller
- Re: [TLS] Non-extension solutions (requirements) Eric Rescorla
- Re: [TLS] Non-extension solutions (requirements) Eric Rescorla
- Re: [TLS] Non-extension solutions (requirements) Eric Rescorla
- Re: [TLS] Non-extension solutions (requirements) Marsh Ray
- Re: [TLS] Non-extension solutions (requirements) Eric Rescorla
- Re: [TLS] Non-extension solutions (requirements) Michael D'Errico
- Re: [TLS] Non-extension solutions (requirements) David-Sarah Hopwood
- Re: [TLS] Non-extension solutions (requirements) David-Sarah Hopwood
- Re: [TLS] Non-extension solutions (requirements) Chris Newman
- Re: [TLS] Non-extension solutions (requirements) Simon Josefsson
- Re: [TLS] Non-extension solutions (requirements) David-Sarah Hopwood
- Re: [TLS] Non-extension solutions (requirements) Simon Josefsson
- Re: [TLS] Non-extension solutions (requirements) David-Sarah Hopwood
- Re: [TLS] Non-extension solutions (requirements) Simon Josefsson
- Re: [TLS] Non-extension solutions (requirements) Rob P Williams