IETF Logo Mail Archive

Re: [TLS] SCSVs and SSLv3 fallback

Trevor Perrin <trevp@trevp.net> Fri, 05 April 2013 19:46 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FDC821F98BD for <tls@ietfa.amsl.com>; Fri, 5 Apr 2013 12:46:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.426
X-Spam-Level:
X-Spam-Status: No, score=-0.426 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t3+aMnCUp-Mx for <tls@ietfa.amsl.com>; Fri, 5 Apr 2013 12:46:32 -0700 (PDT)
Received: from mail-wi0-x22f.google.com (mail-wi0-x22f.google.com [IPv6:2a00:1450:400c:c05::22f]) by ietfa.amsl.com (Postfix) with ESMTP id 3CF1121F98BC for <tls@ietf.org>; Fri, 5 Apr 2013 12:46:28 -0700 (PDT)
Received: by mail-wi0-f175.google.com with SMTP id c10so936643wiw.8 for <tls@ietf.org>; Fri, 05 Apr 2013 12:46:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:in-reply-to:references :date:message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=1nsQNvQ9NFbTARigTQCY7Vb4kV8Zuhia9qDxbO6XFPk=; b=WSjv5Uc1wabDBUSx3RVCkGlW1QWw4emG8KQhFSFIEpjsYWH++pJNmDBndgBDqZysDV zxBYfeJwuvOrkaJtzdkoAueQz3kH2H3H0kLmN/7JQPBegAhraoXt8IY+Cm9D6rJBdF4B l7fOmxRl2XLXGDlc687MfSjnqKU9uIXEKC/vNKmlZgwULP4WGmg5d9KreF4OHIvjlfjP dqxaU7ZJi1P/ZlBAnj/7zWfVX+TAAfRXRdmYHt35/FfkTzx2PcFugO5lYZoLOWspo3sL 5+G5ZMs9HRbFVjH5/0EVjum/k3CGCO9jUoJX/Fu4QFr5jKhX+5kPeR6TGTkTJC8odrHG 6c9Q==
MIME-Version: 1.0
X-Received: by 10.194.104.168 with SMTP id gf8mr18394076wjb.58.1365191188322; Fri, 05 Apr 2013 12:46:28 -0700 (PDT)
Received: by 10.217.119.134 with HTTP; Fri, 5 Apr 2013 12:46:28 -0700 (PDT)
X-Originating-IP: [173.11.71.218]
In-Reply-To: <op.wu1f2u2n3dfyax@killashandra.invalid.invalid>
References: <CAGZ8ZG0i4-ZDPu=O1+Qy1DJ8oV80_eMz5J9NZrn2UC1-zYu4Sw@mail.gmail.com> <op.wu1f2u2n3dfyax@killashandra.invalid.invalid>
Date: Fri, 05 Apr 2013 12:46:28 -0700
Message-ID: <CAGZ8ZG1JzgnCNqfPueKr3wrvMzZKUi7mfvcAdRc-NnCDr33aLg@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: "Yngve N. Pettersen" <yngve@spec-work.net>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQmHQ+BQEWMC20ySgnQ9fyUJu1awppATo6ojZSD1QI8rB/oZzeg+8ubCBfkpPe9Z6BFGzRvf
Cc: tls@ietf.org
Subject: Re: [TLS] SCSVs and SSLv3 fallback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2013 19:46:33 -0000

Hi Hanno, Geoffrey, Yngve,

Thanks for the info and thoughts, really helpful!

It would get complicated to respond to every point individually, let
me try to summarize:


(1) I've heard anecdotal evidence that something like 1/1000
connections between TLS-capable (clients *and* servers) end up in an
SSLv3 fallback.  Hanno and Geoffrey point out this is often due to
general network problems (e.g. packet loss) rather than middlebox
TLS-intolerance.  However I have heard, and Yngve seems to agree, that
middlebox TLS-intolerance also contributes.

Does anyone know more about this?  Like: what portion of the above
fallbacks are due to general network problems vs. TLS-intolerant
middleboxes?


(2) I suggested that TLS Extensions which do not require data in the
ClientHello, and which are required for security, could follow the
5746 idiom of an SCSV alternative to the ClientHello extension for use
in SSLv3 fallback.

Geoffrey and Yngve suggest a different approach, where browsers
disable SSLv3 fallback when talking to a hostname for which they
expect one of these TLS Extensions.  With a flakey network, browsers
would retry TLS until they get through or give up.  With
TLS-intolerant middleboxes, Yngve suggests "standing firm and forcing
the problematic servers/infrastructure to be updated".

I see some problems with this:
 (a) With current proposals for CT or OCSP stapling, the requirement
for an OCSP or CT response via TLS Extensions is signalled by the
server's certificate, so is not known until *after* an SSLv3 fallback.
 Presumably the browser could cancel the SSL handshake and restart a
TLS handshake at that point, but that wastes multiple round trips.
 (b) With TLS-layer pinning (like TACK), this proposal would prevent
"active pins" from causing problems, but pin creation would still be
impeded:  Connections to not-yet-pinned sites could still suffer from
SSLv3 fallbacks due to flakey networks or intolerant middleboxes, and
not receive the pin assertion.
 (c) This proposal is guaranteed to fail with TLS-intolerant
middleboxes, whereas the SCSV proposal has a good chance of working.
 (d) As far as "standing firm" and trying to drive these middleboxes
off the Internet.  I'm all for someone else trying that (CT? :-).  But
for TACK:  If there's any significant number of these middleboxes, and
we cause anything close to a 1/1000 failure rate, we simply won't be
deployed.


I'd be interested in hearing more about why people oppose the SCSV
approach.  We're nowhere close to exhaustion of the ciphersuite (or
extension) registries.  Is there some real problem with SCSVs, or does
it just offend people's sense of the "proper way" to do things?


Trevor

v2.23.0 | Report a Bug | By Email