Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]

Eric Rescorla <ekr@rtfm.com> Fri, 03 June 2016 13:40 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 924C112D1A4 for <tls@ietfa.amsl.com>; Fri, 3 Jun 2016 06:40:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qxtan3UOfAH6 for <tls@ietfa.amsl.com>; Fri, 3 Jun 2016 06:40:45 -0700 (PDT)
Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D525F12D69A for <tls@ietf.org>; Fri, 3 Jun 2016 06:40:38 -0700 (PDT)
Received: by mail-yw0-x231.google.com with SMTP id x189so80279476ywe.3 for <tls@ietf.org>; Fri, 03 Jun 2016 06:40:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=GAzFO+j0eydZ5AAxA1QFx7Qh+AGdqvM4CC7s0vRrRd4=; b=hSBVXIr/pI3Woo9lHuZa6HW6eiNPlx9FFBFFJCx2wF3+lFeSS12eZV0KQhkWi20MtF Vx6dvW/uNZutBHRvNud/4mr0QjnRgNI+3Eymb9vmz1AxLNAwzWiC/NNvVn1WgJ+Buoz2 WfZN6iBCt5V2aJkKneY0f+Log3gb09I8+tzGzKaG9Xls42ynM7uqbBB1D+XvkPJmeVTE iYdYwygiUzxyD2POEB/oNC3ZPpxUTXQ/L3TdSnYmJjU0K8WbUiF45HWsUM9p/lsS7pIL GGq8RXvI6qx2wlFgQjJOPsK+ore6wlyj7uplxmSNze2lCF9oAKwjFOAnbxJLo2hNObic 9JQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=GAzFO+j0eydZ5AAxA1QFx7Qh+AGdqvM4CC7s0vRrRd4=; b=DcFn2IMCLHCaiKp9RtV2Ikh/t4TzjJstJ38EOer6WT8LzZ3+fhVq9otzizZlhyuuKZ d5YQGabQbhO8uW21cGykkVhjgA9odyXmo1fd4Ixs9oE+Bc2nUdThGLqf9n/8eGFSBtG/ eLG9FsZ3g9Mp+jdQlCe6Cyh2jcWuISaoJ/QsNgTxyYGEeL/wG88E+xB2s3jNozwExHZ8 d6w1UjWyyAPvrxWEhWR7eZkvfIBQ4Euj1OjI70cuLw5yVr6/PXBPgMY53mu7MKY0qXdM WPfbhdILN2E38HqA/cEuGsdO2a/Kl0+Ng2EEWvCCBn8IgmPd6YP6r+SumWqxnwqobRPF VJIA==
X-Gm-Message-State: ALyK8tJ/iT76ISWKg6LyqppLmqEmSt3EW5RBjalRwedK0g8i4uY5brR459RxwijiSgsy1eAHDbpEh/iMXgoaqQ==
X-Received: by 10.129.4.8 with SMTP id 8mr2560138ywe.44.1464961238118; Fri, 03 Jun 2016 06:40:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.230.76 with HTTP; Fri, 3 Jun 2016 06:39:58 -0700 (PDT)
In-Reply-To: <201606030017.20760.davemgarrett@gmail.com>
References: <CAF8qwaDuGyHOu_4kpWN+c+vJKXyERPJu-2xR+nu=sPzG5vZ+ag@mail.gmail.com> <CAF8qwaASpH3Fapo61TDBuF35++GyMbZa4c-9Uy-JZ8CKywpAFw@mail.gmail.com> <CABkgnnXs5UBPZRzPoyiVs1R7arBcPV7WuEY692SHkj=doW6bwQ@mail.gmail.com> <201606030017.20760.davemgarrett@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 3 Jun 2016 06:39:58 -0700
Message-ID: <CABcZeBN2UPNng_0zMEE=v1tWnYTep=q2QEmD91FZfWF69NCsMQ@mail.gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: multipart/alternative; boundary=001a113f575c35693405345fdeb0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/WZeEvKSkcUI6kzuy6WaU_hyE9QM>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jun 2016 13:40:47 -0000

My opinion on this hasn't really changed since the last time. This seems
like it's more complicated and it's not clear to me why it won't lead to
exactly the same version intolerance problem in future.

-Ekr


On Thu, Jun 2, 2016 at 9:17 PM, Dave Garrett <davemgarrett@gmail.com>; wrote:

> Allrighty then; time to dust off and rebase an old changeset I was
> fiddling with last year on this topic:
>
> https://github.com/davegarrett/tls13-spec/commit/058ff1518508b094b8c9f1bd4096be9393f20076
> (I cleaned up a bit when rebasing, but it probably needs some work; was
> just a WIP branch, never a PR)
>
> This was the result of prior discussions on-list about TLS version
> intolerance. The gist of the proposal:
> 1) Freeze all the various version number fields.
> 2) Send a list of all supported versions in an extension. (version IDs
> converted to 16-bit ints instead of 8-bit pairs)
> 3) Use short (1 or 2 value, based on hello version) predefined lists for
> hellos from old clients not sending the extension.
> 4) Compare lists to find highest overlap, avoiding guesswork or problems
> with noncontinuous lists.
> 5) Forget the old mess of version intolerance existed.
>
> Do we want to consider scrapping the old version negotiation method again?
>
>
> Dave
>