Re: [TLS] History of extensions

David-Sarah Hopwood <david-sarah@jacaranda.org> Sun, 15 November 2009 02:17 UTC

Return-Path: <djhopwood@googlemail.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4D59C3A67F1 for <tls@core3.amsl.com>; Sat, 14 Nov 2009 18:17:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2uSvlSI2cHkw for <tls@core3.amsl.com>; Sat, 14 Nov 2009 18:17:01 -0800 (PST)
Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.26]) by core3.amsl.com (Postfix) with ESMTP id 4D05C3A689C for <tls@ietf.org>; Sat, 14 Nov 2009 18:17:00 -0800 (PST)
Received: by ey-out-2122.google.com with SMTP id 9so1484371eyd.51 for <tls@ietf.org>; Sat, 14 Nov 2009 18:17:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type; bh=f9jqJx7GtLupF7qM4rjW1saC2mLgQZIjR0+cC9xEkuM=; b=eM0bsajR8kenM1ydlrw1iFC7ekbeZJTUGZ0C4ByNfyNa3JItFluqSNJFZa9SD+8UTu 8hq6PT0jYAjhnOGhxuN3TKM7rCevpFEZACWfhednLw3qovcWmt7mr1DRS21sAdhuFX8B 0tjUO6sVurV25Z3Z89mPOWMK2KtM5JIkplFzM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; b=Qsfto1urKpfWIgtxV8ZitoMHf4+zl57mRrLNCF/KJQGq+q4q7sI2IxV4kc0/Rj9jTJ ZfdvHdQKduvCkMrZao4OB9tUiUEBoOzMoA00MsyOm6A0oyhAX3S06D6YB/C3saKa6nwd jYwSqtQ8PgC0VPQL0cmWYBeyTDzGJ3oew2TpU=
Received: by 10.213.96.6 with SMTP id f6mr3922790ebn.31.1258251448139; Sat, 14 Nov 2009 18:17:28 -0800 (PST)
Received: from ?192.168.0.2? (5e01843c.bb.sky.com [94.1.132.60]) by mx.google.com with ESMTPS id 10sm3947935eyz.3.2009.11.14.18.17.23 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 14 Nov 2009 18:17:23 -0800 (PST)
Sender: David-Sarah Hopwood <djhopwood@googlemail.com>
Message-ID: <4AFF64A9.30108@jacaranda.org>
Date: Sun, 15 Nov 2009 02:17:13 +0000
From: David-Sarah Hopwood <david-sarah@jacaranda.org>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.666
MIME-Version: 1.0
To: tls@ietf.org
References: <200911150015.nAF0FCoj012443@fs4113.wdf.sap.corp>
In-Reply-To: <200911150015.nAF0FCoj012443@fs4113.wdf.sap.corp>
X-Enigmail-Version: 0.96.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------enig3C9D737399A43DB43AD1C534"
Subject: Re: [TLS] History of extensions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2009 02:17:02 -0000

Martin Rex wrote:
> Eric Rescorla wrote:
>> Nicolas Williams wrote:
>>
>>> IIUC the arguments about SSLv3, there's an installed base of SSLv3 and
>>> TLS 1.0-with-bugs that is more likely to get patched to fix this and
>>> only this than to get upgraded to TLS 1.1+ or to have all their bugs
>>> patched.  I'm not sure that that's true.  IF it is true, then we have to
>>> consider the possibility of designing the fix so that it's easier to
>>> patch those.
>>
>> As I said, clients offer extensions already and know how to fall
>> back to not using extensions. I don't see that there is a problem
>> here.
> 
> I think you're mistaken.
> 
> The common Web Browsers may have such a fallback, but there are
> much more users of TLS than just Web Browsers.

Yes, of TLS. Not so much of SSL. Most specifications for carrying
other protocols started with TLS, not SSLv3. There may still be some
instances of extension-intolerant servers other than web servers,
but I'm not aware of any evidence that there are enough to consider
that a significant problem.

> The majority of
> programmatic clients don't use such a fallback.  Remember, that
> this fallback is entirely an apps thingy -- you can not put it
> into TLS itself.  So you will need to patch every app using
> TLS to add a reconnect fallback in order to be able to use
> TLS extension RI and not loose connectivity.

No, not at all. The idea that server bugs need to be addressed by
complicated workarounds in clients is primarily a "feature" of the web
(or more precisely the cultural and technical biases of web client
implementors). In most other contexts, a more appropriate response
to a server being broken, is to fix the server.

In any case, the extension draft can and should be specified in such
a way that even if a client does not send the extension on an *initial*
handshake, a connection to a patched server will not be vulnerable.
(The server does not *know* that the vulnerability has been avoided,
but in fact it has.)

> The reconnect fallback is a performance problem by itself,
> and requires a significant of code added to the app.
> 
> I'm sorry, but I don't like this idea at all.

Which idea? I didn't read Eric's post as recommending that all TLS
clients should implement the fallback, or saying that they need to.
(For stateful protocols, reconnection wouldn't necessarily work,
anyway.) His point was that since web clients already implement
the fallback, they won't fail to interoperate. For non-web clients,
TLS- or extension-intolerance have not been demonstrated to be a
significant issue.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com