Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]

David Benjamin <davidben@chromium.org> Thu, 02 June 2016 15:08 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45A9712D734 for <tls@ietfa.amsl.com>; Thu, 2 Jun 2016 08:08:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.425
X-Spam-Level:
X-Spam-Status: No, score=-3.425 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mPyiEkm3-NM7 for <tls@ietfa.amsl.com>; Thu, 2 Jun 2016 08:08:13 -0700 (PDT)
Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F08C612D735 for <tls@ietf.org>; Thu, 2 Jun 2016 08:08:03 -0700 (PDT)
Received: by mail-it0-x22b.google.com with SMTP id e62so128154586ita.1 for <tls@ietf.org>; Thu, 02 Jun 2016 08:08:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=9aeiMbo9hdx4bjX80xblT7uGIgoTxWSN8NQ0afcM9L0=; b=Z2dqvlqX9UEqItDweXtvedZWbae5LCfg6rDfUdiPSmod1NmQLln2avTLcHJ7AM43gh xrAl63c50Sf5aJPeoSGP6XTLy1dgRUEJX7/1PXxjFg0Lj+ijFO+hfMTCKh+c1tXevnrJ vrP8b4h5ZfoUb0YkdusdYa/gllZxyn2ne0V5o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=9aeiMbo9hdx4bjX80xblT7uGIgoTxWSN8NQ0afcM9L0=; b=RydWuRHpZjrerQzxnSH4wMA62gQ3PTPk8vlVRuhb0USmkSkZrow62Gm8WY+4MSQQFF 8fyy4ALPeNSBcfkT7Rq7yhkwWS9kAd6NXh7of3LDQxv7zZv68zpSV3pzK3XBhcRvhhi0 h767iz6zO9IrWtutYvL36BJWA2bj1YwAxmIYy3XaboCJUmBEYj8ww1+e8MaVirgm+Psb 0kiba0UX0qipPsexfQnlvGaKyka0Nyzu358V/QcMgIf2bgi8NIavJAdg4j68Hs1b5m/k bQY5sOmv8Fr3H9TSkK7P9vnfZQs57+QqYcHXDrpYNFnZuf2rAUCpEQN0bVBdTZnpOFdT 63MA==
X-Gm-Message-State: ALyK8tLfZ8STSEaoS/wX5Zb7eCy6urVBLQ9Ug0VeGyv6QjxzIq8CCp4YNyKP61ePUhBFvdZUm4DXZ6pofum0Vqlv
X-Received: by 10.36.101.74 with SMTP id u71mr282078itb.92.1464880083211; Thu, 02 Jun 2016 08:08:03 -0700 (PDT)
MIME-Version: 1.0
References: <CAF8qwaDuGyHOu_4kpWN+c+vJKXyERPJu-2xR+nu=sPzG5vZ+ag@mail.gmail.com> <1464852691.5804.1.camel@redhat.com> <DBDC810F-B93F-4294-AB43-87B04DFE88D1@gmail.com> <3713097.ExV049UdFl@pintsize.usersys.redhat.com>
In-Reply-To: <3713097.ExV049UdFl@pintsize.usersys.redhat.com>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 02 Jun 2016 15:07:53 +0000
Message-ID: <CAF8qwaASpH3Fapo61TDBuF35++GyMbZa4c-9Uy-JZ8CKywpAFw@mail.gmail.com>
To: Hubert Kario <hkario@redhat.com>, tls@ietf.org
Content-Type: multipart/alternative; boundary=001a1145bcf2fff0ae05344cf881
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/_ZhuuHcv0ok-ndjFkAAGGwxlw_8>
Subject: Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2016 15:08:18 -0000

On Thu, Jun 2, 2016 at 6:43 AM Hubert Kario <hkario@redhat.com>; wrote:

> On Thursday 02 June 2016 11:39:20 Yoav Nir wrote:
> > > On 2 Jun 2016, at 10:31 AM, Nikos Mavrogiannopoulos
> > > <nmav@redhat.com>; wrote:>
> > > On Wed, 2016-06-01 at 15:43 -0700, Eric Rescorla wrote:
> > >> 2% is actually pretty good, but I agree that we're going to need
> > >> fallback.
> > >
> > > Please not. Lets let these fallbacks die. Not every client is a
> > > browser. TLS 1.3 must be a protocol which doesn't require hacks to
> > > operate. CBC was removed, lets do the same for insecure fallbacks.
> >
> > Not every client is a browser, but some are. So what does the browser
> > do when a server resets the connection after seeing the ClientHello?
> >
> > Blank screen with a failure message?
>
> fallback to check if the connection failure is caused by TLSv1.3, and if
> it is, display error message and put the blame squarely on the server
>

We browser folk hate these fallbacks just enough as much as you do, if not
more. I personally spent quite a lot of time and effort getting rid of it
in Chrome (and I'm happy to say, as of Chrome 50, I seem to have
succeeded). I'm sure my counterparts at Mozilla went through similar pains.

But reality is what it is. The Law of the Internet is the last thing that
changed is blamed. We have a limited "budget" we can spend breaking things
(otherwise I'd have removed almost everything by now!) and there is no
chance I can break all the hosts I found.

I have been reaching out to figure out the broken vendors, but this is a
slow process. It will not be flushed this out anytime soon. With TLS 1.3 as
it stands, I think a browser fallback in the short to medium term is a
certainty. (If your clients don't need it, then by all means don't add one!
I envy you.)

David