Re: [TLS] Inter-protocol attacks

Bodo Moeller <bmoeller@acm.org> Sat, 09 August 2014 15:48 UTC

Return-Path: <SRS0=Bv73=5D=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DEEA1A046B for <tls@ietfa.amsl.com>; Sat, 9 Aug 2014 08:48:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.304
X-Spam-Level:
X-Spam-Status: No, score=0.304 tagged_above=-999 required=5 tests=[FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.668, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V_u__lae4BvZ for <tls@ietfa.amsl.com>; Sat, 9 Aug 2014 08:48:24 -0700 (PDT)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.13]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0050E1A0468 for <tls@ietf.org>; Sat, 9 Aug 2014 08:48:23 -0700 (PDT)
Received: from mail-yh0-f52.google.com (mail-yh0-f52.google.com [209.85.213.52]) by mrelayeu.kundenserver.de (node=mreue104) with ESMTP (Nemesis) id 0Lj2nG-1WhdsJ0rmQ-00dEDt; Sat, 09 Aug 2014 17:48:21 +0200
Received: by mail-yh0-f52.google.com with SMTP id t59so5015974yho.25 for <tls@ietf.org>; Sat, 09 Aug 2014 08:48:20 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.236.101.138 with SMTP id b10mr26131890yhg.91.1407599300247; Sat, 09 Aug 2014 08:48:20 -0700 (PDT)
Received: by 10.170.129.17 with HTTP; Sat, 9 Aug 2014 08:48:19 -0700 (PDT)
Received: by 10.170.129.17 with HTTP; Sat, 9 Aug 2014 08:48:19 -0700 (PDT)
In-Reply-To: <CACsn0cmrtZm63ao876ryJPV1o-m2f4Mjda-H5JkH8q=Jjbc=qA@mail.gmail.com>
References: <CACsn0cmrtZm63ao876ryJPV1o-m2f4Mjda-H5JkH8q=Jjbc=qA@mail.gmail.com>
Date: Sat, 9 Aug 2014 11:48:19 -0400
Message-ID: <CADMpkcLCVD4eRvSw4jT=0A3gJ+Cyh+_M6OUj3abet6TsJzYmHQ@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary=20cf301b606f47148205003440a5
X-Provags-ID: V02:K0:+Z26dSHQjIhy7Fb2KaEh+4ozJL0Kl2EIv3an18il52v 72WBYgf1tz+ApV6/EKfZETZnPt8PPfNvhDX96D5/bEeCI4nCfl XsGKSPguf0BhlMa3BjRDEkqI56t/OI+zxR9dTfqMOw/Mh+m9bV LbLh201Pl7iOWbHmUSk6vVlJi1UdeGbZHlWiY+3S1vjlqtXDDF SgG7KOzMZJOGB47n6NlubOx22ItrUnHl8BUP7/Z9f6fb/r1bWv ngHU6Sp1Z6EGcc2b069AxnaBh2bckFgn9+x/7hIutJGbn2pG+j PZLIVX0A6w+SEEMHk/bSvDWIniNkjfZaMp1T7lekl54rdwWYmy MN0ZndmoGalP8snCyB/1FavtKtCv9rZ8NO4+fhUAmQuyLWOgOE rHIkhZgPTqLBDQg5KfDbYGrCFoCqodpHjg2GhAmYsgxrQuFHnY /8fFb
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/UnK5TTiyfuC9USWdObDZnuLxM2U
Cc: tls@ietf.org
Subject: Re: [TLS] Inter-protocol attacks
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Aug 2014 15:51:05 -0000

Falling back to SSL 3.0 can lead to major problems, period.  (SSL 3.0 was
the main motivation for TLS_FALLBACK_SCSV - not this particular attack, but
there are other options.)