Re: [TLS] An SCSV to stop TLS fallback.

"Yngve N. Pettersen" <> Thu, 05 December 2013 00:34 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id BED5F1AE1D1 for <>; Wed, 4 Dec 2013 16:34:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2qi1zTZVACwh for <>; Wed, 4 Dec 2013 16:34:07 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 631DB1AE1D4 for <>; Wed, 4 Dec 2013 16:34:06 -0800 (PST)
Received: from ([]:54359 helo=killashandra.invalid.invalid) by with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <>) id 1VoMtH-0003w5-CH for; Thu, 05 Dec 2013 01:34:03 +0100
Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <>
Date: Thu, 05 Dec 2013 01:33:59 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Yngve N. Pettersen" <>
Message-ID: <op.w7lfuxrh3dfyax@killashandra.invalid.invalid>
In-Reply-To: <>
User-Agent: Opera Mail/12.15 (Win32)
Subject: Re: [TLS] An SCSV to stop TLS fallback.
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Dec 2013 00:34:10 -0000

On Thu, 05 Dec 2013 00:05:43 +0100, Marsh Ray <> wrote:

> What percentage of these client fallback operations that actual users  
> browsers are doing in the real world are being triggered for reasons  
> *other* than actual server implementation bugs? I imagine this could be  
> a difficult thing to measure. But I can also imagine the obvious client  
> heuristics (if it fails, try again) could easily be triggered by a busy  
> server or simple packet loss. Couldn't this represent a full 1% of  
> connections, especially now that so many users are on mobile devices?

It is definitely a possibility.

One part of Opera's (v12 and before) logic regarding fallbacks was to fall  
back if the connection took too long to establish after the handshake had  
started, since some problematic servers would never respond if they did  
not like the handshake. IIRC the trigger time was 6 or 10 seconds.

> So if a fallback situation was a slow-loading lousy page experience  
> before, what's it going to be after legitimate servers implement this  
> logic? Will servers actively *refuse* legitimate client's retry  
> connections? If so, isn't this just taking an intermittent slow-failure  
> situation and converting it to an even slower but guaranteed interop  
> failure? If not, what good will downgrade protection logic be?
> TLS 1.2 was designed to mitigate some serious potential attacks. BEAST  
> demonstrated these attack vectors could be practical.
> We need to recognize ad-hoc client fallback heuristic for what it is: a  
> security vulnerability.
> Therefore, clients MUST NOT auto-downgrade.

The main point of contention is how to accomplish this without "breaking  
the web" and how to do this in a fashion that improves security quickly.

The SCSV proposal very likely will not "break the web", but my objection  
is that it will require updates to all the servers, and not just the  
clients, and thus take too long to deploy (case in point: 4 years after  
the Renego problem was discovered, 20% of servers are still not patched).  
Given that. 14 years after TLS 1.0 was released, about 1% of servers still  
only support SSL v3. I do not have high hopes of having SCSVs fully  
deployed in 15 years (unless client vendors decide to, or have to, "break  
the web").

My suggestion have been to update the clients to refuse to use fallback  
when connecting to servers that implement the Renego patch. This have the  
benefit of using a proxy for correct version negotiation, which is already  
deployed on a majority of servers. The drawback of my proposal is that the  
proxy indication is not perfect; there is a small fraction of patched  
servers that are version and/or extension intolerant, and there is a much  
larger fraction of servers that are version intolerant for whatever  
version bytes TLS 1.3+ will use. Some will call the first group as  
"breaking the web", while most will probably agree that the second can  
definitely be called "breaking the web".

The question is, if client vendors agree to "bull through" and refuse to  
fall back, will the server vendors and web site operators fix their  
implementations, and if so, how quickly? The best option in such a  
scenario would probably be a coordinated same-day release  (alternatively  
flipping a flag) of updated clients, particularly browsers, so that web  
sites cannot use the "switch browser" "advice" for fixing the "browser  
bug". (Flipping a flag might be the better option, since this will allow  
the updated browsers to gain a sufficiently large marketshare before  
changing the behavior)

What to do comes down to the answers to a few questions:

  - How much website breakage will be tolerated for a fix? (keep in mind  
that the fix will almost certainly require the client or server to abort a  
connection that cannot be started without a fallback, if not, what's the  
  - How secure do the vendors, website administrators and users want the  
web to be?
  - How quickly is it desirable to obtain that level of security?

The answers to each of these affect the answer to the others, so the trick  
will be to find a useful compromise that does not compromise security.

Yngve N. Pettersen

Using Opera's mail client: