Re: [TLS] Fallback SCSV summary

"Yngve N. Pettersen" <> Sat, 08 November 2014 03:38 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id E77651A0022 for <>; Fri, 7 Nov 2014 19:38:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_56=0.6] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WpfVO16t5vpE for <>; Fri, 7 Nov 2014 19:38:20 -0800 (PST)
Received: from ( [IPv6:2a01:5b40:0:252::55]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 959911A00F1 for <>; Fri, 7 Nov 2014 19:38:19 -0800 (PST)
Received: from ([]:62511 helo=killashandra.invalid.invalid) by with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <>) id 1Xmwqo-0002Av-NL for; Sat, 08 Nov 2014 04:38:10 +0100
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
References: <>
Date: Sat, 08 Nov 2014 04:37:51 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Yngve N. Pettersen" <>
Message-ID: <op.xozlpdnx3dfyax@killashandra.invalid.invalid>
In-Reply-To: <>
User-Agent: Opera Mail/12.17 (Win32)
Subject: Re: [TLS] Fallback SCSV summary
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 08 Nov 2014 03:38:23 -0000

Hello all,

Below is some statistics that I did not complete gathering until this  
week, related to something I think was mentioned in the SCSV discussion  
thread a couple of weeks ago: Some servers are apparently intolerant to  
the SCSV, and attempts to connect using the SCSV will fail.

My TLS Prober runs indicates that 2.5% of servers will fail a connection  
using the SCSV when it is placed at the last position in the cipher suite  
list, and 4.9% will fail if it is placed at the beginning of the list. In  
fact, while a sample of just two weeks is problematic, these numbers  
appear to be increasing, as one week earlier the numbers were 2.1% and  
4.0%, respectively.

I also tested three other alternative SCSVs,placed at the end of the  
cipher suite list, and 0.6% of the tested servers did not tolerate each of  

As a comparison, 1.3% of the tested servers are extension intolerant when  
the client indicates TLS 1.x.

The combination of SCSV intolerant and extension intolerant servers appear  
to be less than 0.1% of the sample. As I have not yet managed to pin down  
a server with this combination that fails during actual testing with an  
SCSV supporting browser, I am wondering if this combination is at least  
partly due to false postives, or if they fail at specific TLS versions.  
Further testing may be necessary to find out if that is so.

14.4% support the SCSV at this time.

Related to TLS 1.3 and fallbacks: Essentially all of the SCSV supporting  
servers failed when the SCSV is used at the start and for the server's  
highest supported version; less than 0.1% did so for the SCSV at the end.

Also, 2.4% of servers are intolerant for the TLS 1.3 version indication,  
half of them are Renego patched.

On Sat, 08 Nov 2014 02:52:37 +0100, Joseph Salowey <> wrote:

> Below is my summary of the fallback SCSV issue with some suggestions.
> Since I'm weighing in on the text as an individual I'm asking Sean to
> finish up the consensus process on this draft.
> I've gone through he SCSV comments and I think the following issues need  
> to
> be resolved:
> 1.  The draft does not really state that the fallback SCSV is really a  
> hack
> and that standard version negotiation should really be encouraged.  Here  
> is
> some text that could go into the introduction:
> "The fallback SCSV defined in this document is not suitable substitute  
> for
> proper TLS version negotiation. TLS implementations need to properly  
> handle
> TLS version negotiation and extensibility mechanisms to avoid the  
> security
> issues and connection delays associated with fallback mechanisms."
> 2.  The current draft will cause TLS connections to fail if a downgrade
> happens for any reason.  This will result in additional retries even if  
> the
> server is willing to continue at the lower version.  An alternative using
> extensions has been described to allow the server to communicate the  
> status
> of the downgrade back to the client and let the client decide whether to
> continue.
>> From reading the list I don't think we have consensus to abandon the the
> SCSV approach.  The SCSV mechanism is simpler and it does not rely on
> extensions which have been a reason for server failures in the past.
> However, I think the draft can better describe the conditions of when the
> client SHOULD include the SCSV and what the client SHOULD do if it  
> receives
> an inappropriate_fallback alert.  Here is some proposed text for section  
> 4
> and security considerations:
> Section 4
> "If the client receives an inappropriate_fallback alert then the server
> intends to support a higher version and the client should retry with the
> highest version it supports.   Implementors should review the security
> considerations section before deciding to make a connection with a lower
> version without including the TLS_FALLBACK_SCSV.
> Security Considerations
> "Section 4 does not require client implementations to send
> TLS_FALLBACK_SCSV in any particular case, it merely recommends it;  
> behavior
> can be adapted according to the client's security needs.  However, it is
> important to remember that omitting the TLS_FALLBACK_SCSV leaves the TLS
> connection vulnerable to version rollback so it is not recommended to  
> omit
> the SCSV unless the negotiated version provides an acceptable level of
> protection.
> For example, during the initial deployment of a new protocol version
> (when some interoperability problems may have to be expected),
>    smoothly falling back to the previous protocol version in case of
>    problems may be preferrable to potentially not being able to connect
>    at all: so TLS_FALLBACK_SCSV could be omitted for this particular
>    protocol downgrade step.
>    However, it is strongly recommended to send TLS_FALLBACK_SCSV when
>    downgrading to SSL 3.0 as the CBC cipher suites in SSL 3.0 have
>    weaknesses that cannot be addressed by implementation workarounds
>    like the remaining weaknesses in later (TLS) protocol versions."
> 3.  The introduction should indicate that the Fallback SCSV also applies  
> to
> 4.  The IANA considerations section needs to allocate the number for the
> alert:
> "IANA is asked to assign the following value in the TLS Alert Registry  
> for
> use with TLS and DTLS.
> 86  inappropriate_fallback Y [RFC TBD]"

Yngve N. Pettersen

Using Opera's mail client: