Re: [TLS] An SCSV to stop TLS fallback.
Brian Smith <brian@briansmith.org> Wed, 27 November 2013 01:42 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5CB21ADFF4 for <tls@ietfa.amsl.com>; Tue, 26 Nov 2013 17:42:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gRHdwhJSQOlN for <tls@ietfa.amsl.com>; Tue, 26 Nov 2013 17:42:58 -0800 (PST)
Received: from mail-qe0-f50.google.com (mail-qe0-f50.google.com [209.85.128.50]) by ietfa.amsl.com (Postfix) with ESMTP id 609471ADF7F for <tls@ietf.org>; Tue, 26 Nov 2013 17:42:58 -0800 (PST)
Received: by mail-qe0-f50.google.com with SMTP id 1so4620862qec.37 for <tls@ietf.org>; Tue, 26 Nov 2013 17:42:57 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=odq5HdgzldFXVadNdgVGg83BtzYXLWVxDxipiTpoFGk=; b=nJ9IzyEuTg4DedBOslANp5KBdm3vrDg/j6X+QhHF6lNbUrs9io0MxoEMuarlLTG/Cb uYJ5rges9fx5AG7xZqgzcS7DLHtmGPJExn5S5qLVYX+TvVUUH4+ZQgXUlSFXqBX81vWr aYkSrPLtpuAj5oF+m4I9p795ohQj8cuWKv9bN3UTB7zhXRYmGU+SAH7vRDfaGfWODi3Q Xrc/hVe39X459HjZh3aQm+vu4/67WaRNBhT4kjb9Uz41S9W9A3eex9WmjUpQl/5FCAXg NKociQJImq9hV/4j+VifZcvaE1fBRfPRxPtj+6eJ3Q68BYSXVQ/bChHpSbwkrnbCy+dO HB/Q==
X-Gm-Message-State: ALoCoQmBQf06b9j9YuUJlaZxjZkOhoSf1Zerwq0pTFBxcrtHzQs46jFiXfsmL8CQb+brLnd+ivJi
MIME-Version: 1.0
X-Received: by 10.224.167.193 with SMTP id r1mr9706632qay.30.1385516577881; Tue, 26 Nov 2013 17:42:57 -0800 (PST)
Received: by 10.224.40.11 with HTTP; Tue, 26 Nov 2013 17:42:57 -0800 (PST)
X-Originating-IP: [12.216.141.3]
In-Reply-To: <CAL9PXLzWPY5o2SeV=kUPWxznkw+3cmpbMpYifCebfqd48VW9UA@mail.gmail.com>
References: <CAL9PXLzWPY5o2SeV=kUPWxznkw+3cmpbMpYifCebfqd48VW9UA@mail.gmail.com>
Date: Tue, 26 Nov 2013 17:42:57 -0800
Message-ID: <CAFewVt42cSELgfiDa2M7OWwBcpEgcqNzHL4oAEjJ_3GJ8TEPrg@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Adam Langley <agl@google.com>
Content-Type: text/plain; charset="UTF-8"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] An SCSV to stop TLS fallback.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2013 01:42:59 -0000
On Mon, Nov 25, 2013 at 3:27 PM, Adam Langley <agl@google.com> wrote: > In the event that a client is making a fallback connection, it > includes TLS_FALLBACK_SCSV (0x5600) in the list of cipher suites. A > current server which sees this cipher suite in a ClientHello SHOULD > return a fatal alert, inappropriate_fallback (86) and abort the > connection. Adam, I think what you propose makes sense. However, I think it might not be ideal if there are any circumstances where the browser could accidentally fall back to a lower version--e.g. falling back after a timeout or falling back in response to the connection being reset. AFAICT, we currently have to do fallback from TLS 1.2 -> TLS 1.1 and from TLS 1.1 -> TLS 1.0 in response to connection resets. There will be some false positives here. In addition to potentially reducing the security of the connection, these fallback connections add a lot of latency. If we attempt a fallback connection in response to a connection reset, and we receive an inappropriate_fallback alert, then we'd have to make yet *another* connection without the fallback. All other things being equal, it would be better if the server could respond respond exactly as it would with a TLS 1.2 ClientHello, without downgrading the cipher suite or any other feature, more like what Martin Rex suggested. However, I don't think it is realistic to backport features all the way to SSL 3.0. The information in the TLS extensions is too important, and trying to define good defaults for missing extensions that make sense long-term seems like it will just bind our hands too much in the future. So, we should could consider backporting TLS 1.2 cipher suites to TLS 1.1 and TLS 1.0, but then using your suggested inappropriate_fallback for for SSL 3.0 handshakes only. Whether this complication is justified depends on how frequently we receive false-positive connection resets (and anything else that can be a false positive) and how much we care about optimizing performance for that case. Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM)
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Andy Wilson
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Trevor Perrin
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Trevor Perrin
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Brian Smith
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Jack Lloyd
- Re: [TLS] An SCSV to stop TLS fallback. Manger, James H
- Re: [TLS] An SCSV to stop TLS fallback. Wan-Teh Chang
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Wan-Teh Chang
- Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Marsh Ray
- Re: [TLS] An SCSV to stop TLS fallback. Douglas Stebila
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. James Cloos
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Marsh Ray
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Daniel Kahn Gillmor
- Re: [TLS] An SCSV to stop TLS fallback. Brian Smith
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Yaron Sheffer
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Yaron Sheffer
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller