Re: [TLS] RFC5746: Renegotiation Indication for minimal servers

Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Wed, 31 August 2016 16:25 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCAD512D1A2 for <tls@ietfa.amsl.com>; Wed, 31 Aug 2016 09:25:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8zZolsSHh0Ko for <tls@ietfa.amsl.com>; Wed, 31 Aug 2016 09:25:50 -0700 (PDT)
Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0782612B074 for <tls@ietf.org>; Wed, 31 Aug 2016 09:25:50 -0700 (PDT)
Received: by mail-qk0-x236.google.com with SMTP id z190so56852841qkc.0 for <tls@ietf.org>; Wed, 31 Aug 2016 09:25:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=0nROxjQqwsFOtFaGxlLVkMi9TdfQM4OxZk7lj0GZt0o=; b=x/CNM4XhMloZ3E9aadfn2l83ZjJTUGBBY9TNP0Is3gNLMhkrXYZ38nxoy13ilGLlLq V8KwhBDluslsNMO0aJcx4Dfvc8uUcYqWEgb3QXpb3nYGsi3k315lU8dk86lspDBRvYKm kDFwRj9sTXvN8eM2fw33jcgT8jkOx8CHeH3QMAbnlWXsF16eqWeZNpgcZ6hwcuRwSaCC bEVDeynEqOxSxvg7VGdvKJEBYnvmfs/IzABhkjzTy1Nc1a4BDvfX0S2ehGfJAuff4r0W lPCDFWVrX82l8pHT9YIideXqxOlOiiMzLeoDyp97/+4LDQxkK6ujzP5vGfuRRd4fa07v gHdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=0nROxjQqwsFOtFaGxlLVkMi9TdfQM4OxZk7lj0GZt0o=; b=UUUZj9U6W/y7m9p41je922BLL/zR8M6LZMGOOWAUHOnKwmsdwuXvu/GY9rbsPLDFic f2TYFHJGsMQf+0+gBKyVE6t1wp71j83C56TDiATqv82FtoO60up1aJBQDOoZNgChhCul 9mNvXxg96kLAR8WyFd1Rg1QvpvkgfBd2QlRsFXsR5x0qBzLdDtYPgM4PHCXx1roAXI9G iVcMCjWZ0bbrUzosxzliTYY66dYT7KCxTrQJh7S5jb9bfkwnwDvc1KjB+K5Bo+m9VEMo uaHBHkPeZtj2lgXURJmD8DiH6nfphPlgITOZ9vP7rKxw1lofdD08uk32dR3UG8lDLsiH sVyA==
X-Gm-Message-State: AE9vXwMTcMp7Grj3rKUPx29wgMGk5/X2BEBBs+BeVFw1G1AkISzdZpSUk1l4XiA3HP38Sg==
X-Received: by 10.55.165.65 with SMTP id o62mr12603274qke.282.1472660749191; Wed, 31 Aug 2016 09:25:49 -0700 (PDT)
Received: from [192.168.0.100] ([71.181.110.73]) by smtp.gmail.com with ESMTPSA id l1sm327371qtd.49.2016.08.31.09.25.48 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 31 Aug 2016 09:25:48 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
In-Reply-To: <CABkgnnV8NkTv6WOQ-MQmHF-7EVnRhdN21rQ1vje=0yyN++PzfA@mail.gmail.com>
Date: Wed, 31 Aug 2016 12:25:47 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <BA5B80C7-089B-4F0D-9E20-E5EDEE64444A@gmail.com>
References: <9edc2222b4e141538875ff62ca3be22e@FE-MBX1015.de.bosch.com> <CACsn0c=GN_f1UhoyzbRATgn_+C-0nK_aqx_MSaY2PnSuKeXcog@mail.gmail.com> <1470148363699.24362@bosch.com> <4ff68fa1-0d8e-ed1e-064c-8bb5bbf5935a@akamai.com> <1470232754152.68803@bosch.com> <52BDE689-120E-4F95-98B9-1D83B1097B2B@sn3rd.com> <CABkgnnV8NkTv6WOQ-MQmHF-7EVnRhdN21rQ1vje=0yyN++PzfA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TfiUa3M390augtvUoxH2D7L5LGM>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] RFC5746: Renegotiation Indication for minimal servers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Aug 2016 16:25:52 -0000

Recall that the original renegotiation attack relied on a client that has no intention
to renegotiate but was still fooled into renegotiating the attackers’s connection to the server.
To prevent this attack, it is essential that the client includes an empty R-I in its client hello.
This negative acknowledgment is as useful as a positive one.

This is particularly true on the client side. A server that does not support renegotiation
may be able to get away with not supporting R-I, but this probably also leads to 
some (weak) attacks.


> On 31 Aug 2016, at 11:21, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> On 26 August 2016 at 06:43, Sean Turner <sean@sn3rd.com> wrote:
>> Any more thoughts on these?
> 
> I have no problem with implementations that don't use R-I (in either
> extension or SCSV form) if they don't intend to ever renegotiate.  I
> know that that disagrees with RFC 5746, but there you have it.
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls