Re: [TLS] An SCSV to stop TLS fallback.

Adam Langley <agl@google.com> Wed, 27 November 2013 16:14 UTC

MIME-Version: 1.0
In-Reply-To: <CADMpkcLRNmmoMOpJ9QVFPMEbpSyu39afipWUv4Du-assHoC1rw@mail.gmail.com>
References: <CAL9PXLzWPY5o2SeV=kUPWxznkw+3cmpbMpYifCebfqd48VW9UA@mail.gmail.com> <CACsn0ckuupJaNKXGjP63LfZiDsV5FLOqfk902O9i1oheqtAAhA@mail.gmail.com> <CAL9PXLxueY_k0XWgTrqVxqXDgvCRhAW5UEa8YjU9_rnuZ6otTA@mail.gmail.com> <CAL2p+8TXJVmnb-v3xH6uzW+rpZ+v8J65TjO32__O3ZofQiwSig@mail.gmail.com> <CAL9PXLwKxF14CUNmN=-P6mhcr+xcGw0_Aaq7amdBXZKUsrKsKA@mail.gmail.com> <CADMpkcLRNmmoMOpJ9QVFPMEbpSyu39afipWUv4Du-assHoC1rw@mail.gmail.com>
From: Adam Langley <agl@google.com>
Date: Wed, 27 Nov 2013 11:13:30 -0500
Message-ID: <CAL9PXLx0+bYn_KXKhvFz=D_jXfctdVihaXnj=SqB6EeEqRLOSg@mail.gmail.com>
To: Bodo Moeller <bmoeller@acm.org>
Content-Type: text/plain; charset="UTF-8"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] An SCSV to stop TLS fallback.
Precedence: list

On Wed, Nov 27, 2013 at 6:40 AM, Bodo Moeller <bmoeller@acm.org> wrote:
> Writing the I-D, I realized that it would be a pity if, in case a need came
> up to implement similar fallback strategies when deploying future protocol
> versions, you'd have to wait for *another* document to specify *another*
> SCSV to be able to prevent new protocol downgrade attacks, such as from TLS
> 1.3 to TLS 1.2.  Ideally all servers implementing
> TLS_FALLBACK_SCSV/TLS_DOWNGRADE_SCSV would be fully version tolerant, but
> obviously tolerance for *future* protocol versions is not a server feature
> normally exercised in practice -- so to cope with the "Universal Rule of
> Users", we'll have to assume that some servers may be around that aren't
> fully version tolerant, while working perfectly as far as said Users are
> concerned.  Hence the server logic to compare the client's protocol version
> to the server's supported protocol version: if the client is falling back to
> the server's highest supported protocol, that's not a malicious protocol
> downgrade.

Ah, I understand now, thanks. That's a good point, I'll do that.


Cheers

AGL

Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
[TLS] An SCSV to stop TLS fallback. Adam Langley
Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
Re: [TLS] An SCSV to stop TLS fallback. Andy Wilson
Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
Re: [TLS] An SCSV to stop TLS fallback. Trevor Perrin
Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
Re: [TLS] An SCSV to stop TLS fallback. Trevor Perrin
Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
Re: [TLS] An SCSV to stop TLS fallback. Brian Smith
Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
Re: [TLS] An SCSV to stop TLS fallback. Jack Lloyd
Re: [TLS] An SCSV to stop TLS fallback. Manger, James H
Re: [TLS] An SCSV to stop TLS fallback. Wan-Teh Chang
Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
Re: [TLS] An SCSV to stop TLS fallback. Wan-Teh Chang
Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
Re: [TLS] An SCSV to stop TLS fallback. Marsh Ray
Re: [TLS] An SCSV to stop TLS fallback. Douglas Stebila
Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
Re: [TLS] An SCSV to stop TLS fallback. James Cloos
Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
Re: [TLS] An SCSV to stop TLS fallback. Marsh Ray
Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
Re: [TLS] An SCSV to stop TLS fallback. Daniel Kahn Gillmor
Re: [TLS] An SCSV to stop TLS fallback. Brian Smith
Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
Re: [TLS] An SCSV to stop TLS fallback. Yaron Sheffer
Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
Re: [TLS] An SCSV to stop TLS fallback. Yaron Sheffer
Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller