IETF Logo Mail Archive

Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 24 January 2014 21:26 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 078C81A013C for <tls@ietfa.amsl.com>; Fri, 24 Jan 2014 13:26:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XKWE0bu40f-2 for <tls@ietfa.amsl.com>; Fri, 24 Jan 2014 13:26:36 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id BCB3F1A011F for <tls@ietf.org>; Fri, 24 Jan 2014 13:26:36 -0800 (PST)
Received: from [192.168.23.229] (dsl254-070-154.nyc1.dsl.speakeasy.net [216.254.70.154]) by che.mayfirst.org (Postfix) with ESMTPSA id 3CB82F984 for <tls@ietf.org>; Fri, 24 Jan 2014 16:26:32 -0500 (EST)
Message-ID: <52E2DA85.4010705@fifthhorseman.net>
Date: Fri, 24 Jan 2014 16:26:29 -0500
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.2.0
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <20140124210534.C77871ABCA@ld9781.wdf.sap.corp>
In-Reply-To: <20140124210534.C77871ABCA@ld9781.wdf.sap.corp>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="h6ucqrOobvhhvwTs1GjCaAfkhHJcQhuPI"
Subject: Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jan 2014 21:26:39 -0000

On 01/24/2014 04:05 PM, Martin Rex wrote:
> The server is definitely the wrong peer to guess whether
> the client wants to continue or abort TLS handshake.

In the fallback scenario this SCSV is designed to address, the server
normally has no knowledge that the client's prior attempts to connect
with a reasonable protocol version had failed.

By transmitting this SCSV, the client is saying to the server "just so
you know, i tried a better protocol, but it didn't work -- if you meant
to accept better protocols, then someone is messing with us, please abort."

The server knows whether it believes it can accept better protocols, so
it is in the right position to make this call.   I support adoption of
this draft by the WG.

However, there is a risk that clients will offer the SCSV when other
non-version handshake parameters have changed (e.g. different
ciphersuites were offered, or extensions present in normal connections
that are removed in a fallback "compatibility" mode).  I'm assuming that
clients generally don't want to do multiple layers of fallback, each
time testing removing a particular extension or protocol or version or
ciphersuite; instead, i suspect clients will prefer a "normal mode" and
then a lowest-common-denominator "fallback mode".  In this scenario, it
does seem plausible that the SCSV could trigger a connection abort that
otherwise wouldn't happen.  Is there guidance we can give to server or
client implementors to mitigate this risk?

	--dkg

v2.23.0 | Report a Bug | By Email