IETF Logo Mail Archive

Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv

mrex@sap.com (Martin Rex) Sat, 25 January 2014 00:34 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59BB01A023B for <tls@ietfa.amsl.com>; Fri, 24 Jan 2014 16:34:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 14VG4GrwAFVN for <tls@ietfa.amsl.com>; Fri, 24 Jan 2014 16:34:02 -0800 (PST)
Received: from smtpde01.sap-ag.de (smtpde01.sap-ag.de [155.56.68.170]) by ietfa.amsl.com (Postfix) with ESMTP id 267511A022B for <tls@ietf.org>; Fri, 24 Jan 2014 16:34:01 -0800 (PST)
Received: from mail05.wdf.sap.corp by smtpde01.sap-ag.de (26) with ESMTP id s0P0Xt0x017478 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 25 Jan 2014 01:33:55 +0100 (MET)
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C711EB9F2E33@USMBX1.msg.corp.akamai.com>
To: "Salz, Rich" <rsalz@akamai.com>
Date: Sat, 25 Jan 2014 01:33:55 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20140125003355.061101ABCA@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jan 2014 00:34:04 -0000

Salz, Rich wrote:
>
>> By transmitting this SCSV, the client is saying to the server
>> "just so you know, i tried a better protocol, but it didn't work
>> -- if you meant to accept better protocols, then someone is
>> messing with us, please abort."
> 
> That's a really nice explanation.

Nope, that is a bad idea.

We know pretty damn well that there are a number of non-malicious
middle-boxes all over the place on the internet.  They're the
reason that the fallbacks to overcome handshake failures were invented
in the first place.

If you either believe that giving those middle-boxes a hard time
and giving the end users a hard time and forcing the user
to use cleartext HTTP is desirable, then simply disable the
fallback on the client and be done with it -- this will reliably
work with every existing server out there.


But if instead, after having pestered enough of your users/customers,
you figure that you need to enable succeding with TLSv1.0 instead
of forcing the user to switch to cleartext-HTTP, then you will
need yet another level of fallback, to a ClientHello without that
SCSV -- at which point this whole effort turns into a complete waste.



Now on top of that, we do know that TLSv1.2 is cryptographically
weaker than TLSv1.0 and TLSv1.1 because of the weak default SHA1-only
digitally-signed with RSA server certificates.


I would really appreciate if this Working Group would spend more
time on making more TLS handshakes succeed and make strong
algorithms and cipher suites more easily achievable for the
huge installed base of TLS that is under software maintenance.


-Martin

v2.23.0 | Report a Bug | By Email