Re: [TLS] Cipher suite values to indicate TLS capability

Yoav Nir <ynir@checkpoint.com> Wed, 06 June 2012 05:17 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 756E921F8625 for <tls@ietfa.amsl.com>; Tue, 5 Jun 2012 22:17:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.553
X-Spam-Level:
X-Spam-Status: No, score=-10.553 tagged_above=-999 required=5 tests=[AWL=0.046, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i6A+q2ZmHJhS for <tls@ietfa.amsl.com>; Tue, 5 Jun 2012 22:17:31 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id A2EAA21F85D7 for <tls@ietf.org>; Tue, 5 Jun 2012 22:17:25 -0700 (PDT)
Received: from il-ex01.ad.checkpoint.com (dlpgw.checkpoint.com [194.29.34.27]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id q565HK3l026234; Wed, 6 Jun 2012 08:17:21 +0300
X-CheckPoint: {4FCEF3D5-0-1B221DC2-2FFFF}
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Wed, 6 Jun 2012 08:17:18 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Chris Richardson <chris@randomnonce.org>
Date: Wed, 06 Jun 2012 08:17:24 +0300
Thread-Topic: [TLS] Cipher suite values to indicate TLS capability
Thread-Index: Ac1Do6RTfnMiPnbtTCi2h281Y3yRaA==
Message-ID: <002AA72F-D47E-4C7C-930C-D78A0E48D059@checkpoint.com>
References: <CAL9PXLwdQctUub5oPx0tepsfveDo0bNKGBUaUBBFeq4u4D0BbA@mail.gmail.com> <CADKevbAnT7AVn_cN+7WcBLfK8G4vkKns3GqQP1QQQ__96SD_6A@mail.gmail.com>
In-Reply-To: <CADKevbAnT7AVn_cN+7WcBLfK8G4vkKns3GqQP1QQQ__96SD_6A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
x-cpdlp: 112984e98ce1382f3076532df01bd230e7a6e64ba5
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Cipher suite values to indicate TLS capability
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jun 2012 05:17:32 -0000

On Jun 6, 2012, at 4:11 AM, Chris Richardson wrote:

> On Tue, Jun 5, 2012 at 4:39 PM, Adam Langley <agl@google.com> wrote:
>> However, with the downgrade to SSLv3 we loose an important security
>> feature: ECDHE.
> ...
>> So I'd like to introduce TLS_CAPABLE_SCSV (0x00fe) in SSLv3
>> handshakes. TLS_EMPTY_RENEGOTIATION_INFO_SCSV has shown that we can
>> deploy new ciphersuites for SSLv3 and the semantics of
>> TLS_CAPABLE_SCSV would be that servers would reject any SSLv3
>> handshakes that included this ciphersuite with a fatal error.
> 
> Thinking through various scenarios... if I'm a TLS-capable server that
> does not support foward-secure cipher suites, what reason would I have
> any reason to reject an SSLv3 hello containing the TLS_CAPABLE_SCSV?

Because the client says it supports TLS, but is connecting using SSLv3. That is evidence of a downgrade attack. Regardless of what benefit the attacker intends to get from downgrading the connection to SSLv3, it should be aborted.