Re: [TLS] TLSrenego - possibilities, suggestion for SSLv3
Martin Rex <mrex@sap.com> Thu, 12 November 2009 05:12 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8A6FD3A6B9D for <tls@core3.amsl.com>; Wed, 11 Nov 2009 21:12:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.157
X-Spam-Level:
X-Spam-Status: No, score=-6.157 tagged_above=-999 required=5 tests=[AWL=0.092, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tcXBqtO0Rv49 for <tls@core3.amsl.com>; Wed, 11 Nov 2009 21:12:20 -0800 (PST)
Received: from smtpde03.sap-ag.de (smtpde03.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id E7C0A3A6B87 for <tls@ietf.org>; Wed, 11 Nov 2009 21:12:19 -0800 (PST)
Received: from mail.sap.corp by smtpde03.sap-ag.de (26) with ESMTP id nAC5Cjsf006673 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 12 Nov 2009 06:12:45 +0100 (MET)
From: Martin Rex <mrex@sap.com>
Message-Id: <200911120512.nAC5CiIu019763@fs4113.wdf.sap.corp>
To: marsh@extendedsubset.com
Date: Thu, 12 Nov 2009 06:12:44 +0100
In-Reply-To: <4AFB21E8.7040609@extendedsubset.com> from "Marsh Ray" at Nov 11, 9 02:43:20 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal05
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] TLSrenego - possibilities, suggestion for SSLv3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2009 05:12:21 -0000
Marsh Ray wrote: > > Martin Rex wrote: > > I think you might be barking up the wrong tree. > > > > This MITM-susceptibility is _not_ a problem specific to SSLv3. > > It is a problem that affects the entire installed base of > > TLS v1.0, TLS v1.1 and TLS v1.2 in _exactly_ the same fashion. > > Yes, but TLS >= 1.0 can be fixed properly with > https://datatracker.ietf.org/drafts/draft-rescorla-tls-renegotiation/ There is nothing in that draft that prevents its use for SSLv3 > > > As far as upgrading/fixing is concerned: I do _not_ see an issue > > the SSLv3 spec that would prevent the proposed fix to be used > > even for sessions negotiated with protocol version 0x03,0x00. > > SSL 3.0 doesn't seem to allow extensions on Server and Client Hello > messages. That is wrong. The SSLv3 spec has the exact same provisions for TLS extensions as the TLSv1.0 and TLSv1.1 specs. TLS extensions became a standard part of the protocol in TLSv1.2 only. Compare the specs and you will see. > > > The issue of interoperability with that installed base seems to > > have been sufficiently severe, that at least one Browser vendor > > decided to implement a re-connect retry logic with a fallback > > to extension-free SSLv3 ClientHello. > > Maybe that was one of those "we've always done it that way" decisions > that needs to be revisited. Breaking installed base just for the sake of the fun of it sounds like a pretty bad idea. > > The proposed draft-rescorla-tls-renegotiation "RI extension" provides a > solution which restores the security of connections where both endpoints > implement it. > There is probably no way to restore that security without patching both > endpoints. This is a misrepresentation. There is _NO_ known security problem with a full TLS handshake if _no_ renegotiation is performed. I'm perfectly OK with fixing TLS to provide a secure basis for the previously flawed assumptions of several servers, provided that all servers that want to use renegotiation in the future are updated. I have a very significant problem with any recommendation, let alone a requirement to brick perfectly valid and secure installed base that does not contain this TLS enhancement, but also doesn't contain renegotiation and there is not vulnerable. Especially since this is completely unnecessary! > > > Servers performing a traditional SSL handshake is _not_ a security > > problem. > > There are some attacks in which the client sees the renegotiation and > the server only sees one connection. So what? The vulnerability is only an entirely with the part that performs the insecure renegotiation. The reliable fix (without upgrade) is to disable renegotiation of that component. > > > Doing the secure renegotiation through the TLS extension in an > > official renegotiation is not the problem. Fixing means that the > > code will have to be changed. If the change is sufficiently small, > > it can be added with a relative small amount of work to servers > > at all protocol levels, including SSLv3. > > So SSLv3 would be retroactively given hello extensions? Sounds like a > breaking change. Wouldn't it be easier to just use TLS? Huh? SSLv3 is perfectly OK with hello extensions. Btw., quite a lot of sessions established with protocol version SSLv3 (0x03,0x00) might actually be between implementations of TLS that just use conservative defaults because they don't have a reconnect fallback to and extension-less SSLv3 handshake. It would be good to stop confusing people. Adding TLS support to an existing SSLv3 implementation is >5x the work than adding the proposed TLS extension RI. And you're still just as vulnerable. What we need is that the installed base out there needs to discontinue using the insecure renegotiation with TLS. JUST THAT. This means either adding the TLS extension RI or reliably disable renegotiation. Please every stop suggesting upgraded to TLS v1.something. That will cause more harm than good, because it gives a completely wrong impression about what needs to be done. I'm fine with requiring a proper TLS extension in the renegotiation(!) handshake to transfer the verify_data of the finished messages. It's clean and still very simple, and fits SSLv3 just as nicely as it does TLSv1.0. This may even help to make SSLv3 implementations to improve their SSLv3 spec compliance and interop with clients proposing TLS extensions. There may be lots of good reasons why upgrading or completely replacing an implementation of SSLv3 is simply not an option, but adding the TLS extension RI is. -Martin
- [TLS] assert TLSext in renego-ServerHello instead… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… David-Sarah Hopwood
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- [TLS] TLSrenego - current summary of semantics an… Martin Rex
- Re: [TLS] TLSrenego - current summary of semantic… Steve Dispensa
- Re: [TLS] TLSrenego - current summary of semantic… Nicolas Williams
- Re: [TLS] TLSrenego - current summary of semantic… Yair Elharrar
- Re: [TLS] TLSrenego - current summary of semantic… Michael D'Errico
- Re: [TLS] TLSrenego - current summary of semantic… Marsh Ray
- Re: [TLS] TLSrenego - current summary of semantic… Nicolas Williams
- Re: [TLS] TLSrenego - current summary of semantic… Martin Rex
- Re: [TLS] TLSrenego - current summary of semantic… Michael D'Errico
- Re: [TLS] TLSrenego - current summary of semantic… Martin Rex
- Re: [TLS] TLSrenego - current summary of semantic… Michael D'Errico
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - current summary of semantic… Pasi.Eronen
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yair Elharrar
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yair Elharrar
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] TLSrenego - possibilities, suggestion f… Rob P Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yoav Nir
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Rob P Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Michael D'Errico
- Re: [TLS] TLSrenego - possibilities, suggestion f… Peter Gutmann
- Re: [TLS] TLSrenego - possibilities, suggestion f… Yoav Nir
- Re: [TLS] TLSrenego - possibilities, suggestion f… Peter Gutmann
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] History of extensions Marsh Ray
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] History of extensions Eric Rescorla
- [TLS] Protected Renegotiation -- refined proposal Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Michael D'Errico
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] Protected Renegotiation -- refined prop… Martin Rex
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Yoav Nir
- Re: [TLS] assert TLSext in renego-ServerHello ins… Dr Stephen Henson
- Re: [TLS] History of extensions Eric Rescorla
- Re: [TLS] TLSrenego - possibilities, suggestion f… Martin Rex
- Re: [TLS] Protected Renegotiation -- refined prop… Eric Rescorla
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] History of extensions Eric Rescorla
- Re: [TLS] History of extensions Nicolas Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Nasko Oskov
- Re: [TLS] History of extensions Eric Rescorla
- [TLS] Redefine Finished message for TLS 1.3 ? Nelson B Bolyard
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nicolas Williams
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nelson B Bolyard
- Re: [TLS] Redefine Finished message for TLS 1.3 ? David-Sarah Hopwood
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] Protected Renegotiation -- refined prop… Martin Rex
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nicolas Williams
- Re: [TLS] History of extensions Martin Rex
- Re: [TLS] History of extensions David-Sarah Hopwood
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Michael D'Errico
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] Redefine Finished message for TLS 1.3 ? David-Sarah Hopwood
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- [TLS] A crazy idea Michael D'Errico
- Re: [TLS] A crazy idea Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nelson B Bolyard
- Re: [TLS] A crazy idea Michael D'Errico
- Re: [TLS] Protected Renegotiation -- refined prop… Yoav Nir
- Re: [TLS] A crazy idea Nicolas Williams
- Re: [TLS] TLSrenego - possibilities, suggestion f… Bodo Moeller
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] TLSrenego - possibilities, suggestion f… Joseph Salowey (jsalowey)
- Re: [TLS] A not-so crazy idea Michael D'Errico
- Re: [TLS] TLSrenego - possibilities, suggestion f… Bodo Moeller
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Bodo Moeller
- Re: [TLS] TLSrenego - possibilities, suggestion f… Marsh Ray
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Bodo Moeller
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] A not-so crazy idea Nicolas Williams
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] A not-so crazy idea Yair Elharrar
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Marsh Ray
- Re: [TLS] A not-so crazy idea Yoav Nir
- Re: [TLS] assert TLSext in renego-ServerHello ins… Nelson B Bolyard
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] assert TLSext in renego-ServerHello ins… Eric Rescorla
- Re: [TLS] assert TLSext in renego-ServerHello ins… Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello ins… Bodo Moeller
- Re: [TLS] Redefine Finished message for TLS 1.3 ? Nelson Bolyard