Re: [TLS] SCSVs and SSLv3 fallback
Trevor Perrin <trevp@trevp.net> Fri, 05 April 2013 19:46 UTC
Return-Path: <trevp@trevp.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FDC821F98BD for <tls@ietfa.amsl.com>; Fri, 5 Apr 2013 12:46:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.426
X-Spam-Level:
X-Spam-Status: No, score=-0.426 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t3+aMnCUp-Mx for <tls@ietfa.amsl.com>; Fri, 5 Apr 2013 12:46:32 -0700 (PDT)
Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 3CF1121F98BC for <tls@ietf.org>; Fri, 5 Apr 2013 12:46:28 -0700 (PDT)
Received: by mail-wi0-f175.google.com with SMTP id c10so936643wiw.8 for <tls@ietf.org>; Fri, 05 Apr 2013 12:46:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=1nsQNvQ9NFbTARigTQCY7Vb4kV8Zuhia9qDxbO6XFPk=; b=WSjv5Uc1wabDBUSx3RVCkGlW1QWw4emG8KQhFSFIEpjsYWH++pJNmDBndgBDqZysDV zxBYfeJwuvOrkaJtzdkoAueQz3kH2H3H0kLmN/7JQPBegAhraoXt8IY+Cm9D6rJBdF4B l7fOmxRl2XLXGDlc687MfSjnqKU9uIXEKC/vNKmlZgwULP4WGmg5d9KreF4OHIvjlfjP dqxaU7ZJi1P/ZlBAnj/7zWfVX+TAAfRXRdmYHt35/FfkTzx2PcFugO5lYZoLOWspo3sL 5+G5ZMs9HRbFVjH5/0EVjum/k3CGCO9jUoJX/Fu4QFr5jKhX+5kPeR6TGTkTJC8odrHG 6c9Q==
MIME-Version: 1.0
X-Received: by 10.194.104.168 with SMTP id gf8mr18394076wjb.58.1365191188322; Fri, 05 Apr 2013 12:46:28 -0700 (PDT)
Received: by 10.217.119.134 with HTTP; Fri, 5 Apr 2013 12:46:28 -0700 (PDT)
X-Originating-IP: [173.11.71.218]
In-Reply-To: <op.wu1f2u2n3dfyax@killashandra.invalid.invalid>
References: <CAGZ8ZG0i4-ZDPu=O1+Qy1DJ8oV80_eMz5J9NZrn2UC1-zYu4Sw@mail.gmail.com> <op.wu1f2u2n3dfyax@killashandra.invalid.invalid>
Date: Fri, 05 Apr 2013 12:46:28 -0700
Message-ID: <CAGZ8ZG1JzgnCNqfPueKr3wrvMzZKUi7mfvcAdRc-NnCDr33aLg@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: "Yngve N. Pettersen" <yngve@spec-work.net>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQmHQ+BQEWMC20ySgnQ9fyUJu1awppATo6ojZSD1QI8rB/oZzeg+8ubCBfkpPe9Z6BFGzRvf
Cc: tls@ietf.org
Subject: Re: [TLS] SCSVs and SSLv3 fallback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 19:46:33 -0000
Hi Hanno, Geoffrey, Yngve, Thanks for the info and thoughts, really helpful! It would get complicated to respond to every point individually, let me try to summarize: (1) I've heard anecdotal evidence that something like 1/1000 connections between TLS-capable (clients *and* servers) end up in an SSLv3 fallback. Hanno and Geoffrey point out this is often due to general network problems (e.g. packet loss) rather than middlebox TLS-intolerance. However I have heard, and Yngve seems to agree, that middlebox TLS-intolerance also contributes. Does anyone know more about this? Like: what portion of the above fallbacks are due to general network problems vs. TLS-intolerant middleboxes? (2) I suggested that TLS Extensions which do not require data in the ClientHello, and which are required for security, could follow the 5746 idiom of an SCSV alternative to the ClientHello extension for use in SSLv3 fallback. Geoffrey and Yngve suggest a different approach, where browsers disable SSLv3 fallback when talking to a hostname for which they expect one of these TLS Extensions. With a flakey network, browsers would retry TLS until they get through or give up. With TLS-intolerant middleboxes, Yngve suggests "standing firm and forcing the problematic servers/infrastructure to be updated". I see some problems with this: (a) With current proposals for CT or OCSP stapling, the requirement for an OCSP or CT response via TLS Extensions is signalled by the server's certificate, so is not known until *after* an SSLv3 fallback. Presumably the browser could cancel the SSL handshake and restart a TLS handshake at that point, but that wastes multiple round trips. (b) With TLS-layer pinning (like TACK), this proposal would prevent "active pins" from causing problems, but pin creation would still be impeded: Connections to not-yet-pinned sites could still suffer from SSLv3 fallbacks due to flakey networks or intolerant middleboxes, and not receive the pin assertion. (c) This proposal is guaranteed to fail with TLS-intolerant middleboxes, whereas the SCSV proposal has a good chance of working. (d) As far as "standing firm" and trying to drive these middleboxes off the Internet. I'm all for someone else trying that (CT? :-). But for TACK: If there's any significant number of these middleboxes, and we cause anything close to a 1/1000 failure rate, we simply won't be deployed. I'd be interested in hearing more about why people oppose the SCSV approach. We're nowhere close to exhaustion of the ciphersuite (or extension) registries. Is there some real problem with SCSVs, or does it just offend people's sense of the "proper way" to do things? Trevor
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Hanno Böck
- Re: [TLS] SCSVs and SSLv3 fallback Geoffrey Keating
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Joseph Birr-Pixton
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Nikos Mavrogiannopoulos
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Paul Hoffman
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Nikos Mavrogiannopoulos
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Adam Langley
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Trevor Perrin
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Yngve N. Pettersen
- Re: [TLS] SCSVs and SSLv3 fallback Martin Rex
- Re: [TLS] SCSVs and SSLv3 fallback Yoav Nir