Re: [TLS] SCSVs and SSLv3 fallback
Joseph Birr-Pixton <jpixton@gmail.com> Fri, 05 April 2013 19:33 UTC
Return-Path: <jpixton@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CD1E21F93CD for <tls@ietfa.amsl.com>; Fri, 5 Apr 2013 12:33:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_12=0.6, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8gyu-mPcE+JU for <tls@ietfa.amsl.com>; Fri, 5 Apr 2013 12:33:30 -0700 (PDT)
Received: from mail-we0-x232.google.com (mail-we0-x232.google.com [IPv6:2a00:1450:400c:c03::232]) by ietfa.amsl.com (Postfix) with ESMTP id B272B21F9390 for <tls@ietf.org>; Fri, 5 Apr 2013 12:33:29 -0700 (PDT)
Received: by mail-we0-f178.google.com with SMTP id z53so3095929wey.37 for <tls@ietf.org>; Fri, 05 Apr 2013 12:33:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=Osd+eG7kIsIkg2tllawsZMCohaqfVSylZ/931vArCZ0=; b=Sm2x37vnVjynUB+EBwsKUR53HqK3ZaE/aPIvTELev7OLtlnC6hVMP3jFOn9FJ0i6vy T0yvNDpuIOQqz8XzCDELPjwYdUqCZNXpic1MW4g2xVw5dwaY80IBnSRMyRkw7SpbGvUV Fqin3cA+sx9uXfsh5O1mdIG9vTPGPjY4J9AFFTBmOKwT2WAcIKCezlpt5ezSphmhRPAt kGX8gEsLzfJBJlMKAfruLqf/tBQF8Eq2KKdYhK5Be+va1QPU6vAlttd9veM/OY5eX82m 6vzcImY7aXZHpjFquPbvaUa+JO+NJLoLqJlhdYQaul8xdWch0HlFj18Kd262k7wpPd5t gywA==
MIME-Version: 1.0
X-Received: by 10.194.89.234 with SMTP id br10mr18846405wjb.43.1365190408863; Fri, 05 Apr 2013 12:33:28 -0700 (PDT)
Received: by 10.216.163.195 with HTTP; Fri, 5 Apr 2013 12:33:28 -0700 (PDT)
Date: Fri, 05 Apr 2013 20:33:28 +0100
Message-ID: <CACaGApk0PzeetKgPyy6J-H4u1rcv8Ueegpd7kE_z1+oZMmd-2A@mail.gmail.com>
From: Joseph Birr-Pixton <jpixton@gmail.com>
To: tls@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Subject: Re: [TLS] SCSVs and SSLv3 fallback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 19:33:30 -0000
On Thu, 4 Apr 2013 23:34:02 +0200, Hanno B?ck <hanno@hboeck.de> wrote: > Date: Thu, 4 Apr 2013 23:34:02 +0200 > From: Hanno B?ck <hanno@hboeck.de> > Subject: Re: [TLS] SCSVs and SSLv3 fallback > Message-ID: <20130404233402.6c91a9bf@melee> > Content-Type: text/plain; charset="iso-8859-1" > And it's a serious problem if you're using Server Name > Indication (SNI) for more than one SSL cert on one IP. The "solution" I > found for our case was that I found it tolerable today to disable SSLv3 > on the server side. However, I'm not really happy with that browser > fallback behaviour, it's a serious pitfall for the use of SNI. Worse than that; it's a serious pitfall for users who think they are benefiting from any of the security improvements made since SSL3. For example: I surveyed the alexa top 500 web sites; 321 provide a working SSL or TLS service. 27% chose different security parameters under downgrade conditions. Of those, 81% lost forward secrecy under attacker control. Notably, google.com went from a server authentication key providing ~128 bits of security and ciphersuite providing forward secrecy, to a server authentication key providing ~73 bits of security and no forward secrecy. That is really very, very broken. More relevantly, any sites deploying non-broken AEAD ciphersuites in the near future (while still providing SSL3 service) will still be subject to attacker-controlled downgrade to CBC-mode or RC4 ciphersuites. Cheers, Joe
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Hanno Böck
- Re: [TLS] SCSVs and SSLv3 fallback Geoffrey Keating
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Joseph Birr-Pixton
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Nikos Mavrogiannopoulos
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Paul Hoffman
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Nikos Mavrogiannopoulos
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Adam Langley
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yoav Nir