IETF Logo Mail Archive

Re: [TLS] simplistic renego protection

David-Sarah Hopwood <david-sarah@jacaranda.org> Thu, 19 November 2009 19:20 UTC

Return-Path: <djhopwood@googlemail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8AB3B28C112 for <tls@core3.amsl.com>; Thu, 19 Nov 2009 11:20:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fJtvyD927nBL for <tls@core3.amsl.com>; Thu, 19 Nov 2009 11:20:22 -0800 (PST)
Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.25]) by core3.amsl.com (Postfix) with ESMTP id 217F63A6834 for <tls@ietf.org>; Thu, 19 Nov 2009 11:20:21 -0800 (PST)
Received: by ey-out-2122.google.com with SMTP id 25so614888eya.51 for <tls@ietf.org>; Thu, 19 Nov 2009 11:20:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type; bh=d6ZisDKZ/L5X13l3VgZXYTl6/D/0KRPei+aGw6TFivM=; b=PB2dh7w3QFps55lT0eYu5h/p3+ut1qd6Zao/aJNKLw/doN5RosowrrhXg+Z+MWMCqA hzzHAO2Zh7rKCC2IwJaYXk6zMa1Zf5LQWs1K6CCljDlNKWR3m2A1CiTNW3yU7wpjPPaU DlfKjB8W9PbnWhcIEjM7U0ll/4NsdxQEBssi4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; b=xilMuHKsOj1Y7/XZkn1TM06qWLcMQDkkZZ1evmMZXxdxRdHn3Onh8ubKDrQMj2DqSD XyClyqPbt2ZbTe5eEij2kyLghpN+KhE0/O7s2ixEzHFPTQmmQQoQ9Cc2nt1LJVHNqPKB 4qXpbA51GmOX9m6Fy9nGvroBms/jkSCOYttOg=
Received: by 10.213.26.140 with SMTP id e12mr1868549ebc.0.1258658416300; Thu, 19 Nov 2009 11:20:16 -0800 (PST)
Received: from ?192.168.0.2? (5e0212a1.bb.sky.com [94.2.18.161]) by mx.google.com with ESMTPS id 10sm208438eyd.37.2009.11.19.11.20.15 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 19 Nov 2009 11:20:15 -0800 (PST)
Sender: David-Sarah Hopwood <djhopwood@googlemail.com>
Message-ID: <4B059A60.9000003@jacaranda.org>
Date: Thu, 19 Nov 2009 19:20:00 +0000
From: David-Sarah Hopwood <david-sarah@jacaranda.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: tls@ietf.org
References: <200911182000.nAIK0Qkm013905@fs4113.wdf.sap.corp> <4B04A792.7040607@jacaranda.org> <B197003731D4874CA41DE7B446BBA3E829CD28F1@TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> <4B059716.6010309@jacaranda.org>
In-Reply-To: <4B059716.6010309@jacaranda.org>
X-Enigmail-Version: 0.96.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------enigF7CB0896C98C5924DF4485E9"
Subject: Re: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2009 19:20:23 -0000

David-Sarah Hopwood wrote:
> Nasko Oskov wrote:
>> David-Sarah Hopwood wrote:
>>> Martin Rex wrote:
>>>> There are going to be components out there that will not get patched.  
>>>> They might not implement renegotiation (or have it
>>>> disabled) and they're therefore not even vulnerable.
>>>>
>>>> But we can not simply brick them (deny to talk SSL to them in the 
>>>> future).
>>>>
>>>> So Browsers will likely have to continue to offer an fallback to 
>>>> extension-less ClientHello.
>>> This is a non-sequitur. Lenient clients don't need to send the extension in the
>>> ClientHello of an initial handshake. Strict clients must not be able to talk to
>>> unpatched servers, by definition.
>> I must be misunderstanding the attack. Why is the attack not possible
>> even when client doesn't send the RI extension on initial handshake?
> 
> Because the server knows that the connection is a renegotiation from its
> point of view, and therefore it rejects any handshake that doesn't
> contain the extension.
> 
>> If the MiTM sends a client hello to the server that has no extension, then
>> the server has no way to drop the connection. This will require a strict
>> server to prevent the attack and strict server config will not be reality
>> for a long time. What am I missing?
> 
> That, in the RI approach, strict server config is essential from the start.

Point of clarification: "strict server" here means that the server does
not accept *renegotiations* with an unpatched client. It still accepts
initial handshakes.

A "strict client", OTOH, will refuse to make even initial connections to
an unpatched server. So support for lenient (as well as strict) clients
is certainly necessary, but whether support for lenient servers is needed
is much less clear.

> We haven't yet established whether the ability to support lenient servers
> is a requirement. Eric has argued against allowing that; so have I.
> If lenient servers are allowed, then I think it will take *much* longer
> until the vulnerability is eliminated from most connections.
> 
> Remember, rejecting a renegotiating ClientHello does not necessarily lead
> to an interoperability failure; it only does so if the client will not
> reconnect.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

v2.23.0 | Report a Bug | By Email