Re: [TLS] An SCSV to stop TLS fallback.
"Yngve N. Pettersen" <yngve@spec-work.net> Thu, 05 December 2013 00:34 UTC
Return-Path: <yngve@spec-work.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BED5F1AE1D1 for <tls@ietfa.amsl.com>; Wed, 4 Dec 2013 16:34:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2qi1zTZVACwh for <tls@ietfa.amsl.com>; Wed, 4 Dec 2013 16:34:07 -0800 (PST)
Received: from smtp.domeneshop.no (smtp.domeneshop.no [194.63.252.54]) by ietfa.amsl.com (Postfix) with ESMTP id 631DB1AE1D4 for <tls@ietf.org>; Wed, 4 Dec 2013 16:34:06 -0800 (PST)
Received: from 47.70.202.84.customer.cdi.no ([84.202.70.47]:54359 helo=killashandra.invalid.invalid) by smtp.domeneshop.no with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <yngve@spec-work.net>) id 1VoMtH-0003w5-CH for tls@ietf.org; Thu, 05 Dec 2013 01:34:03 +0100
Content-Type: text/plain; charset="iso-8859-15"; format="flowed"; delsp="yes"
To: tls@ietf.org
References: <CAL9PXLzWPY5o2SeV=kUPWxznkw+3cmpbMpYifCebfqd48VW9UA@mail.gmail.com> <CACsn0ckuupJaNKXGjP63LfZiDsV5FLOqfk902O9i1oheqtAAhA@mail.gmail.com> <CAL9PXLxueY_k0XWgTrqVxqXDgvCRhAW5UEa8YjU9_rnuZ6otTA@mail.gmail.com> <CAL2p+8TXJVmnb-v3xH6uzW+rpZ+v8J65TjO32__O3ZofQiwSig@mail.gmail.com> <CAL9PXLwKxF14CUNmN=-P6mhcr+xcGw0_Aaq7amdBXZKUsrKsKA@mail.gmail.com> <CADMpkcLRNmmoMOpJ9QVFPMEbpSyu39afipWUv4Du-assHoC1rw@mail.gmail.com> <CAL9PXLx0+bYn_KXKhvFz=D_jXfctdVihaXnj=SqB6EeEqRLOSg@mail.gmail.com> <CADMpkcKvXxHwj+Rj_j8qF84aEbWJiBiXnk9t1qfh7NychraZcQ@mail.gmail.com> <CALTJjxEDXsmdzY4+OH2AFcYfMW5zY=V4PzQK3hqB1WrqjRJB+g@mail.gmail.com> <CADMpkcJO8xZ41DDnofPinm2SMkhONW7w+cODGwnVpJtB5o8OqQ@mail.gmail.com> <CALTJjxGTmSPRNWfbRrpkFQb3nBwY63fUros+4fLsXjum=q3urA@mail.gmail.com> <529F7E9D.80302@elzevir.fr> <CAL9PXLwVQ=GmZXGrh4+VEd-u1dhhvThKHfVf0qRShcR+LdExTQ@mail.gmail.com> <f30ced5319a9451080562a1d2d8004f8@BY2PR03MB074.namprd03.prod.outlook.com>
Date: Thu, 05 Dec 2013 01:33:59 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Yngve N. Pettersen" <yngve@spec-work.net>
Message-ID: <op.w7lfuxrh3dfyax@killashandra.invalid.invalid>
In-Reply-To: <f30ced5319a9451080562a1d2d8004f8@BY2PR03MB074.namprd03.prod.outlook.com>
User-Agent: Opera Mail/12.15 (Win32)
Subject: Re: [TLS] An SCSV to stop TLS fallback.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2013 00:34:10 -0000
On Thu, 05 Dec 2013 00:05:43 +0100, Marsh Ray <maray@microsoft.com> wrote: > What percentage of these client fallback operations that actual users > browsers are doing in the real world are being triggered for reasons > *other* than actual server implementation bugs? I imagine this could be > a difficult thing to measure. But I can also imagine the obvious client > heuristics (if it fails, try again) could easily be triggered by a busy > server or simple packet loss. Couldn't this represent a full 1% of > connections, especially now that so many users are on mobile devices? It is definitely a possibility. One part of Opera's (v12 and before) logic regarding fallbacks was to fall back if the connection took too long to establish after the handshake had started, since some problematic servers would never respond if they did not like the handshake. IIRC the trigger time was 6 or 10 seconds. > So if a fallback situation was a slow-loading lousy page experience > before, what's it going to be after legitimate servers implement this > logic? Will servers actively *refuse* legitimate client's retry > connections? If so, isn't this just taking an intermittent slow-failure > situation and converting it to an even slower but guaranteed interop > failure? If not, what good will downgrade protection logic be? > > TLS 1.2 was designed to mitigate some serious potential attacks. BEAST > demonstrated these attack vectors could be practical. > > We need to recognize ad-hoc client fallback heuristic for what it is: a > security vulnerability. > > Therefore, clients MUST NOT auto-downgrade. The main point of contention is how to accomplish this without "breaking the web" and how to do this in a fashion that improves security quickly. The SCSV proposal very likely will not "break the web", but my objection is that it will require updates to all the servers, and not just the clients, and thus take too long to deploy (case in point: 4 years after the Renego problem was discovered, 20% of servers are still not patched). Given that. 14 years after TLS 1.0 was released, about 1% of servers still only support SSL v3. I do not have high hopes of having SCSVs fully deployed in 15 years (unless client vendors decide to, or have to, "break the web"). My suggestion have been to update the clients to refuse to use fallback when connecting to servers that implement the Renego patch. This have the benefit of using a proxy for correct version negotiation, which is already deployed on a majority of servers. The drawback of my proposal is that the proxy indication is not perfect; there is a small fraction of patched servers that are version and/or extension intolerant, and there is a much larger fraction of servers that are version intolerant for whatever version bytes TLS 1.3+ will use. Some will call the first group as "breaking the web", while most will probably agree that the second can definitely be called "breaking the web". The question is, if client vendors agree to "bull through" and refuse to fall back, will the server vendors and web site operators fix their implementations, and if so, how quickly? The best option in such a scenario would probably be a coordinated same-day release (alternatively flipping a flag) of updated clients, particularly browsers, so that web sites cannot use the "switch browser" "advice" for fixing the "browser bug". (Flipping a flag might be the better option, since this will allow the updated browsers to gain a sufficiently large marketshare before changing the behavior) What to do comes down to the answers to a few questions: - How much website breakage will be tolerated for a fix? (keep in mind that the fix will almost certainly require the client or server to abort a connection that cannot be started without a fallback, if not, what's the use?) - How secure do the vendors, website administrators and users want the web to be? - How quickly is it desirable to obtain that level of security? The answers to each of these affect the answer to the others, so the trick will be to find a useful compromise that does not compromise security. -- Sincerely, Yngve N. Pettersen Using Opera's mail client: http://www.opera.com/mail/
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Andy Wilson
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Trevor Perrin
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Trevor Perrin
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Brian Smith
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Jack Lloyd
- Re: [TLS] An SCSV to stop TLS fallback. Manger, James H
- Re: [TLS] An SCSV to stop TLS fallback. Wan-Teh Chang
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Wan-Teh Chang
- Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Marsh Ray
- Re: [TLS] An SCSV to stop TLS fallback. Douglas Stebila
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. James Cloos
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Marsh Ray
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Daniel Kahn Gillmor
- Re: [TLS] An SCSV to stop TLS fallback. Brian Smith
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Yaron Sheffer
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Yaron Sheffer
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller