IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Nikos Mavrogiannopoulos <nmav@redhat.com> Mon, 20 October 2014 17:20 UTC

Return-Path: <nmavrogi@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B0401A8032 for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 10:20:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id krQ4Tkq6LOua for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 10:20:43 -0700 (PDT)
Received: from mx3-phx2.redhat.com (mx3-phx2.redhat.com [209.132.183.24]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6BE71A87E1 for <tls@ietf.org>; Mon, 20 Oct 2014 10:18:14 -0700 (PDT)
Received: from zmail22.collab.prod.int.phx2.redhat.com (zmail22.collab.prod.int.phx2.redhat.com [10.5.83.26]) by mx3-phx2.redhat.com (8.13.8/8.13.8) with ESMTP id s9KHICsu004444; Mon, 20 Oct 2014 13:18:12 -0400
Date: Mon, 20 Oct 2014 13:18:11 -0400
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Bodo Moeller <bmoeller@acm.org>
Message-ID: <460682079.47331533.1413825491684.JavaMail.zimbra@redhat.com>
In-Reply-To: <CADMpkc+C269mpomY7CWF0UNyRh5V9jdqMq59ZqdJ8Z9CMNiuBQ@mail.gmail.com>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <543FCC90.7020408@polarssl.org> <1413468247.17221.8.camel@dhcp-2-127.brq.redhat.com> <CADMpkcLf+p5J600gueqzKec4nKuo78Xrr-auW+fyapuqM13Z4w@mail.gmail.com> <1413805668.2597.10.camel@dhcp-2-127.brq.redhat.com> <CADMpkcJZ_rm5U+vKoUdX03Jbotbf4zeJoVU=KB3CSJg=tX05fQ@mail.gmail.com> <1413807699.2597.14.camel@dhcp-2-127.brq.redhat.com> <CADMpkc+C269mpomY7CWF0UNyRh5V9jdqMq59ZqdJ8Z9CMNiuBQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.5.82.7]
X-Mailer: Zimbra 8.0.6_GA_5922 (ZimbraWebClient - FF29 (Linux)/8.0.6_GA_5922)
Thread-Topic: Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
Thread-Index: f2ZW4uHMH2hDn/pTLT0JyZPaAP/CkQ==
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Tq_CobcXdWmXJMWuAhz2lsDOR6U
Cc: tls@ietf.org
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 17:20:45 -0000

> > It certainly makes sense to fix those broken servers. I disagree with
> > > fixing them *instead* of deploying TLS_FALLBACK_SCSV; I think that's a
> > > false dichotomy. If you are willing to stop fallback retries in the
> > > client products that Red Hat distributes right now, great (do you?),
> > > but clearly not everyone is willing to take that step at this time.
> > > Until it has happened, clients already can benefit from
> > > TLS_FALLBACK_SCSV.
> > I disagree. It is a correct dichotomy :) If the servers are fixed, there
> > is no use for the fallback SCSV, as clients would not need to perform
> > the insecure fallback.
> True, but clearly they aren't fixed *now*, and more importantly, various
> current clients *do* still find it necessary to use fallback retries to
> work with such servers.
> I agree that TLS_FALLBACK_SCSV is hypothetically pointless :-)

No, not only pointless, it gives the broken servers an incentive to continue
being broken. With this change, clients still consider the servers that
require a downgrade dance secure. Why should that be the case? Why for example
chrome or firefox doesn't warn on these servers? They are certainly not
secure.

If the draft should mention that a compliant to SCSV interactive client MUST
warn the user in case of a fallback dance, then yes, I would agree that the
draft is a step forward. I believe the goal must be the elimination of 
non-compliant servers, not only to patch things up until the next attack.

> As of the argument that clients would be protected from the SCSV, that
> > only works if both the clients _and_ the servers are updated to support
> > the fallback SCSV. Why is that step necessary, if we can instead fix the
> > clients and the servers to properly negotiate TLS?
> Using the SCSV already helps if *some* servers have been updated to support
> it: connections to these servers, at least, will be more secure. For other
> servers, you get what you have now.

I agree on that, but the issue there is that we tolerate non-TLS compliant
servers and we consider them equally secure, even though your attack shows
that they are not.

regards,
Nikos

v2.23.0 | Report a Bug | By Email