Re: [TLS] An SCSV to stop TLS fallback.

Brian Smith <brian@briansmith.org> Wed, 27 November 2013 01:42 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5CB21ADFF4 for <tls@ietfa.amsl.com>; Tue, 26 Nov 2013 17:42:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gRHdwhJSQOlN for <tls@ietfa.amsl.com>; Tue, 26 Nov 2013 17:42:58 -0800 (PST)
Received: from mail-qe0-f50.google.com (mail-qe0-f50.google.com [209.85.128.50]) by ietfa.amsl.com (Postfix) with ESMTP id 609471ADF7F for <tls@ietf.org>; Tue, 26 Nov 2013 17:42:58 -0800 (PST)
Received: by mail-qe0-f50.google.com with SMTP id 1so4620862qec.37 for <tls@ietf.org>; Tue, 26 Nov 2013 17:42:57 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=odq5HdgzldFXVadNdgVGg83BtzYXLWVxDxipiTpoFGk=; b=nJ9IzyEuTg4DedBOslANp5KBdm3vrDg/j6X+QhHF6lNbUrs9io0MxoEMuarlLTG/Cb uYJ5rges9fx5AG7xZqgzcS7DLHtmGPJExn5S5qLVYX+TvVUUH4+ZQgXUlSFXqBX81vWr aYkSrPLtpuAj5oF+m4I9p795ohQj8cuWKv9bN3UTB7zhXRYmGU+SAH7vRDfaGfWODi3Q Xrc/hVe39X459HjZh3aQm+vu4/67WaRNBhT4kjb9Uz41S9W9A3eex9WmjUpQl/5FCAXg NKociQJImq9hV/4j+VifZcvaE1fBRfPRxPtj+6eJ3Q68BYSXVQ/bChHpSbwkrnbCy+dO HB/Q==
X-Gm-Message-State: ALoCoQmBQf06b9j9YuUJlaZxjZkOhoSf1Zerwq0pTFBxcrtHzQs46jFiXfsmL8CQb+brLnd+ivJi
MIME-Version: 1.0
X-Received: by 10.224.167.193 with SMTP id r1mr9706632qay.30.1385516577881; Tue, 26 Nov 2013 17:42:57 -0800 (PST)
Received: by 10.224.40.11 with HTTP; Tue, 26 Nov 2013 17:42:57 -0800 (PST)
X-Originating-IP: [12.216.141.3]
In-Reply-To: <CAL9PXLzWPY5o2SeV=kUPWxznkw+3cmpbMpYifCebfqd48VW9UA@mail.gmail.com>
References: <CAL9PXLzWPY5o2SeV=kUPWxznkw+3cmpbMpYifCebfqd48VW9UA@mail.gmail.com>
Date: Tue, 26 Nov 2013 17:42:57 -0800
Message-ID: <CAFewVt42cSELgfiDa2M7OWwBcpEgcqNzHL4oAEjJ_3GJ8TEPrg@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Adam Langley <agl@google.com>
Content-Type: text/plain; charset=UTF-8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] An SCSV to stop TLS fallback.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2013 01:42:59 -0000

On Mon, Nov 25, 2013 at 3:27 PM, Adam Langley <agl@google.com> wrote:
>   In the event that a client is making a fallback connection, it
> includes TLS_FALLBACK_SCSV (0x5600) in the list of cipher suites. A
> current server which sees this cipher suite in a ClientHello SHOULD
> return a fatal alert, inappropriate_fallback (86) and abort the
> connection.

Adam, I think what you propose makes sense. However, I think it might
not be ideal if there are any circumstances where the browser could
accidentally fall back to a lower version--e.g. falling back after a
timeout or falling back in response to the connection being reset.
AFAICT, we currently have to do fallback from TLS 1.2 -> TLS 1.1 and
from TLS 1.1 -> TLS 1.0 in response to connection resets. There will
be some false positives here. In addition to potentially reducing the
security of the connection, these fallback connections add a lot of
latency. If we attempt a fallback connection in response to a
connection reset, and we receive an inappropriate_fallback alert, then
we'd have to make yet *another* connection without the fallback. All
other things being equal, it would be better if the server could
respond respond exactly as it would with a TLS 1.2 ClientHello,
without downgrading the cipher suite or any other feature, more like
what Martin Rex suggested.

However, I don't think it is realistic to backport features all the
way to SSL 3.0. The information in the TLS extensions is too
important, and trying to define good defaults for missing extensions
that make sense long-term seems like it will just bind our hands too
much in the future.

So, we should could consider backporting TLS 1.2 cipher suites to TLS
1.1 and TLS 1.0, but then using your suggested inappropriate_fallback
for for SSL 3.0 handshakes only.

Whether this complication is justified depends on how frequently we
receive false-positive connection resets (and anything else that can
be a false positive) and how much we care about optimizing performance
for that case.

Cheers,
Brian
-- 
Mozilla Networking/Crypto/Security (Necko/NSS/PSM)