Re: [TLS] Rethink TLS 1.3

Watson Ladd <watsonbladd@gmail.com> Tue, 25 November 2014 15:15 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 074241A8748 for <tls@ietfa.amsl.com>; Tue, 25 Nov 2014 07:15:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 99RpxH51sKsV for <tls@ietfa.amsl.com>; Tue, 25 Nov 2014 07:15:47 -0800 (PST)
Received: from mail-yk0-x234.google.com (mail-yk0-x234.google.com [IPv6:2607:f8b0:4002:c07::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B5C91A885B for <tls@ietf.org>; Tue, 25 Nov 2014 07:14:39 -0800 (PST)
Received: by mail-yk0-f180.google.com with SMTP id 9so335775ykp.25 for <tls@ietf.org>; Tue, 25 Nov 2014 07:14:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=AMVOV08ifLz8StWREYzP9eM+UkVB6nHDLQEF+yA4qmM=; b=VIOuVc0NNXjHl3Z0m+uEEykN6pVeJOA/27dtSQa5dK86ZDi828qLe8rvUNpr+t1+30 ImD1f3RDmhOzmW1q+3U7UpWMWP/+NHmiKHbKGe69bmdN2s/UsspkJHUlWpnGlqWqsOMj TAaav/DfO/T2Knib6GzilMH45ViLfQ/77r7OQJM9qpd/oHu04eudLTJVYdPCZRMEOD8D ZywhpeFAQUXVQN5lFvPWFIDNShzRSW2YO2Jr9ymDNpx+qkbJi6dv0kShGEviHaMAMUZ9 b0Juh0hpSQep0VWeQv8HO0hKfRRYSJ6AAnIOmluhXDmO9V9PjPWeQVTYdUCnQpuCqH/J GrAA==
MIME-Version: 1.0
X-Received: by 10.170.111.210 with SMTP id d201mr27936231ykb.126.1416928478796; Tue, 25 Nov 2014 07:14:38 -0800 (PST)
Received: by 10.170.195.21 with HTTP; Tue, 25 Nov 2014 07:14:38 -0800 (PST)
In-Reply-To: <3283678.0WkSFC7mCs@pintsize.usersys.redhat.com>
References: <20141124105948.GH3200@localhost> <20141124165601.0E7A71B004@ld9781.wdf.sap.corp> <CACsn0ckcpNYJbnb+vd=nazXQhN5m3=L1DxO+KnLXMVyWOQ-PUQ@mail.gmail.com> <3283678.0WkSFC7mCs@pintsize.usersys.redhat.com>
Date: Tue, 25 Nov 2014 07:14:38 -0800
Message-ID: <CACsn0c=7fzAmshr7qamiLZdRUNs8kexQPR4E6n3teqNi4HzOjQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Hubert Kario <hkario@redhat.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/WscCGn4NxT6QtxuMFGcYVsygNtI
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Rethink TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Nov 2014 15:15:49 -0000

On Tue, Nov 25, 2014 at 6:46 AM, Hubert Kario <hkario@redhat.com>; wrote:
> On Monday 24 November 2014 09:35:20 Watson Ladd wrote:
>> On Mon, Nov 24, 2014 at 8:56 AM, Martin Rex <mrex@sap.com>; wrote:
>> > Nico Williams wrote:
>> >> Henrick Hellström wrote:
>> >>> Yes, but the point I am trying to make, is that if the implied goal
>> >>> is to make TLS resilient even against BEAST/CRIME style attacks, the
>> >>> threat model should be defined accordingly. It makes little sense to
>> >>> ask for cryptographic review of the protocol, if it is inherently
>> >>> unclear exactly what kind of threats the protocol is designed to
>> >>> withstand.
>> >>
>> >> BEAST/CRIME are dramatic demonstrations of the capabilities of attackers
>> >> in the Internet threat model.
>> >
>> > Nope.  BEAST, CRIME and Poodle are pretty boring demonstrations of the
>> > ridiculous insecurity of WebBrowsers in their default
> configuration.https://tcms.engineering.redhat.com/case/295339/
>>
>> So it's possible to get my Paypal login cookie if I browse to a
>> malicious site on a fully patched browser? Because that's what BEAST
>> enabled. Are you saying it's fine that SSL v3.0 leaks one byte per
>> connection? Because that's POODLE. All of this was known in 2004, and
>> not fixed in TLS 1.2
>
> are you suggesting that AEAD ciphers are vulnerable to them? based on what
> mechanism?
>
> I mean, sure they are not mandatory or the only TLS 1.2 compatible ciphers,
> but there are there...

Fixed means fixed, not "you get to play choose your own ciphersuite,
where most of the options are wrong". It means aggressively removing
ciphers and protocols known to be weak. Instead of considering the job
done when secure options have been added, we should consider it done
when the insecure options have been removed.

Sincerely,
Watson Ladd
>
> --
> Regards,
> Hubert Kario



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin