IETF Logo Mail Archive

Re: [TLS] The TLS_FALLBACK_SCSV time bomb (was: Re: Working Group Last Call for draft-ietf-tls-downgrade-scsv-00)

Yoav Nir <ynir.ietf@gmail.com> Tue, 21 October 2014 15:28 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF5A01A8826 for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 08:28:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u2Bjx9ghY5t7 for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 08:28:23 -0700 (PDT)
Received: from mail-wi0-x22d.google.com (mail-wi0-x22d.google.com [IPv6:2a00:1450:400c:c05::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1046C1A1B7C for <tls@ietf.org>; Tue, 21 Oct 2014 08:28:21 -0700 (PDT)
Received: by mail-wi0-f173.google.com with SMTP id fb4so10437076wid.6 for <tls@ietf.org>; Tue, 21 Oct 2014 08:28:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=P2MfaVtQh7AcO7IEPqkQq+vrosLleKiG/wj1nJJ2l6A=; b=voDl3CgV2qo/Z2t+llyNmFWSpR0Vh8b5Dzha+NDzoVhFrBelPbMnWgRkCuK7+Ow7s4 jSi3lv6TfytIDAFSWsjpNghqby+BAa35ze9socKKRfVZ6PE2SerEjRxhROHGhlCHk8H/ DrTFu3N6kjHxjfX0g/yhBQZ4jEVRKUvQut+IvjtT73dv4Xzsv997qXZ6MB9O/NYn1+of 6mPZZ0rdkCMqNo0Y2ZoPl3kIyK5sqbpMq0eLoQiyY1ZjiTVTB2BU8Dpxc2Ze6K4V122z NRbp9AvMXJ8OgWgMbEIT4fA0Nu3GO7c0EXow1XwPf3OVXqBQ2chgz6jqZ9apcNxX6319 ix8Q==
X-Received: by 10.194.236.200 with SMTP id uw8mr44412032wjc.50.1413905296728; Tue, 21 Oct 2014 08:28:16 -0700 (PDT)
Received: from [10.4.38.170] ([80.179.9.115]) by mx.google.com with ESMTPSA id ga7sm13465638wic.5.2014.10.21.08.28.15 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 21 Oct 2014 08:28:16 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <20141021143643.C8FB11AEFE@ld9781.wdf.sap.corp>
Date: Tue, 21 Oct 2014 18:28:12 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <8127E725-12C0-419D-A286-23C8CD0C931B@gmail.com>
References: <20141021143643.C8FB11AEFE@ld9781.wdf.sap.corp>
To: mrex@sap.com
X-Mailer: Apple Mail (2.1990.1)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/WMITgRSOOYTz5i8x4fOg3BaEPAQ
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] The TLS_FALLBACK_SCSV time bomb (was: Re: Working Group Last Call for draft-ietf-tls-downgrade-scsv-00)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Oct 2014 15:28:28 -0000

> On Oct 21, 2014, at 5:36 PM, Martin Rex <mrex@sap.com> wrote:
> 
> Andrei Popov wrote:
>> 
>>> Oh, and given your affiliation, I was tempted to add:
>>> "So Microsoft are planning to roll out an update to Windows XP then?" :-).
>> 
>> Hopefully, POODLE will help bring about the end of XP :)
> 
> Windows XP, with MSIE 7 or MSIE 8 installed is *UNAFFECTED* by Poodle,
> because it will offer TLSv1.0 and not fallback to SSLv3 only.
> 
> Win7 & Win8.x Users are affected by Poodle.

As are Firefox and Chrome users of Windows XP and people whose IE has TLSv1 disabled (as was the default through SP2).

Yoav

v2.23.0 | Report a Bug | By Email