Re: [TLS] An SCSV to stop TLS fallback.

mrex@sap.com (Martin Rex) Sat, 07 December 2013 04:22 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A83401AE1BF for <tls@ietfa.amsl.com>; Fri, 6 Dec 2013 20:22:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x65TZTc50six for <tls@ietfa.amsl.com>; Fri, 6 Dec 2013 20:22:39 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id D90251AE00D for <tls@ietf.org>; Fri, 6 Dec 2013 20:22:38 -0800 (PST)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id rB74MW0S025196 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 7 Dec 2013 05:22:32 +0100 (MET)
In-Reply-To: <52A21B4B.2000301@fifthhorseman.net>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sat, 7 Dec 2013 05:22:32 +0100 (CET)
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20131207042232.3498C1AB40@ld9781.wdf.sap.corp>
From: mrex@sap.com (Martin Rex)
X-SAP: out
Cc: IETF TLS WG <tls@ietf.org>
Subject: Re: [TLS] An SCSV to stop TLS fallback.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Dec 2013 04:22:41 -0000

Daniel Kahn Gillmor wrote:
> On 12/06/2013 01:25 PM, Martin Rex wrote:
>>
>> So the use of the TLS_FALLBACK_SCSV will either *NOT* affect the rest
>> of the TLS protocol not at all, or cause a fatal handshake failure.
>> And very few, if any at all, of the situations where the handshake fails,
>> will be instances of an active attack.
> 
> This is probably also true of X.509 certificate validation failure as
> well, since there are more self-signed or expired certificates in active
> use than there are active MITM attackers.  Are you suggesting that TLS
> would be better off not checking certificate validity?

When both peers manage to signal to each other that they could
have done better, why moaning, failing and annoying the user,
when those peers could simply *USE* those better features instead.


> 
> > And it remains extremely
> > questionable, when the handshake would succeed, that the attacker
> > will gain anything at all.
> 
> What the attacker can gain presumably depends on what features the
> client is willing to sacrifice during fallback.  Presumably, the client
> gives up specific features of the newer versions: e.g. AEAD, when
> falling back below TLS 1.2, or possibly all TLS extensions for fallback
> all the way to SSLv3 (to accomodate old extension-intolerant SSLv3 servers).
> 
> It looks like you're saying that none of these more modern features are
> useful tools in defending against an active attacker.  Do you really
> think that?


I really think that trying to reduce the large scale of grey into
a binary black/white guess by the server about what the client
_might_ deem appropriate is doomed to fail.

If the client wants to make a conscious security trade-off decision
about what features it is willing to sacrifice to obtain interoperability,
then it is the _client_ which should perform the decision.  And in case
of a client operated by a human user (such as a web browser), that
trade-off might involve asking the user.

The server doesn't know anything about the client's motivation,
nothing about the actual request that the client is intending to
submit and nothing about the trade-off that the client would
be willing to perform (rather than fail).


Btw. AES128-CBC-SHA1 is more secure than AES128-GCM/-CCM, so the only
thing the client might be "loosing" is a little performance, and
that AEAD can not currently be negotiated and used unless
ClientHello.client_version is set to { 0x03, 0x03 } is a silly defect
of the specification(s) that could be easily fixed.

Btw. am I reading this page correctly:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa374757%28v=vs.85%29.aspx

Does Microsoft limit AES-GCM really to ECDHE_ECDSA on Win7 and Win8
i.e. unavailable with ECDHE_RSA ?


-Martin