Re: [TLS] To extend or not to extend
Nelson B Bolyard <nelson@bolyard.me> Sun, 15 November 2009 22:33 UTC
Return-Path: <nelson@bolyard.me>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 246FA3A6A39 for <tls@core3.amsl.com>; Sun, 15 Nov 2009 14:33:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.779
X-Spam-Level:
X-Spam-Status: No, score=-1.779 tagged_above=-999 required=5 tests=[AWL=0.820, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZJHBdGhhv+2i for <tls@core3.amsl.com>; Sun, 15 Nov 2009 14:33:44 -0800 (PST)
Received: from smtpauth17.prod.mesa1.secureserver.net (smtpauth17.prod.mesa1.secureserver.net [64.202.165.29]) by core3.amsl.com (Postfix) with SMTP id 583AD3A6A34 for <tls@ietf.org>; Sun, 15 Nov 2009 14:33:44 -0800 (PST)
Received: (qmail 8214 invoked from network); 15 Nov 2009 22:33:43 -0000
Received: from unknown (24.5.142.42) by smtpauth17.prod.mesa1.secureserver.net (64.202.165.29) with ESMTP; 15 Nov 2009 22:33:42 -0000
Message-ID: <4B00823F.3030103@bolyard.me>
Date: Sun, 15 Nov 2009 14:35:43 -0800
From: Nelson B Bolyard <nelson@bolyard.me>
Organization: Network Security Services
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1b1pre) Gecko/20081004 NOT Firefox/2.0 SeaMonkey/2.0a2pre
MIME-Version: 1.0
To: Bodo Moeller <bmoeller@acm.org>
References: <AC1CFD94F59A264488DC2BEC3E890DE5091A760A@xmb-sjc-225.amer.cisco.com> <20091115113857.4E04D69F7B2@kilo.networkresonance.com> <4B006F37.6030905@bolyard.me> <F1240B36-28C3-44EC-9B42-9C099F83365D@acm.org>
In-Reply-To: <F1240B36-28C3-44EC-9B42-9C099F83365D@acm.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] To extend or not to extend
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Nov 2009 22:33:45 -0000
On 2009-11-15 14:22 PDT, Bodo Moeller wrote: > On Nov 15, 2009, at 1:14 PM, Nelson B Bolyard wrote: > >> On 2009-11-15 03:38 PDT, Eric Rescorla wrote: >> >>> So, thinking further on my earlier message, I think the following >>> elaboration will work a bit better: >>> >>> - Strict clients (those which wish to insist on RI) generate RI on >>> initial handshake. As I said earlier, I don't think this is >>> useful, but it works. >>> >>> - Lenient clients do not generate RI on initial handshake but do >>> generate it on rehandshake with TLS 1.0+ only. >>> + Moderately lenient clients can fail if the server does not >>> do RI. >>> + Really lenient clients can ignore the server's failure to >>> do RI. >> Aren't your so-called Lenient clients still 100% vulnerable to the >> attack? >> >> What prevents their initial handshakes from being used by an >> attacker as renegotiations with a vulnerable server? > > Not connecting to a vulnerable server would. In the web browser > scenario, if I know that the HTTPS servers I use for serious purposes > are not vulnerable (i.e. don't allow renegotiation, other than > possibly with the updated renegotiation protocol), I'm fine. Right. In the presence of a "white list" of known invulnerable servers, no client protocol modifications of any kind are necessary. > When an HTTP page points me to an HTTPS page that I haven't heard of > before, where I wouldn't even bother to verify the certificate's > subject name or the hostname, then I don't care at all: Right. That case is not interesting. The interesting case is the server that you have heard of before, and do use, perhaps with some frequency, but you do not know if it is vulnerable or not. Since you are a regular user of that server, if it is vulnerable then the next time you use it, you may be vulnerable, too. As a lenient client of that server, you have no protection from the attack.
- [TLS] To extend or not to extend Joseph Salowey (jsalowey)
- Re: [TLS] To extend or not to extend Eric Rescorla
- Re: [TLS] To extend or not to extend Bodo Moeller
- Re: [TLS] To extend or not to extend Martin Rex
- Re: [TLS] To extend or not to extend Nicolas Williams
- Re: [TLS] To extend or not to extend Nelson B Bolyard
- Re: [TLS] To extend or not to extend Nelson B Bolyard
- Re: [TLS] To extend or not to extend Bodo Moeller
- Re: [TLS] To extend or not to extend Nelson B Bolyard
- Re: [TLS] To extend or not to extend Bodo Moeller
- Re: [TLS] To extend or not to extend Joseph Salowey (jsalowey)
- Re: [TLS] To extend or not to extend Eric Rescorla