Re: [TLS] [FORGED] Re: no fallbacks please [was: Downgrade protection, fallbacks, and server time]

Dave Garrett <davemgarrett@gmail.com> Tue, 07 June 2016 21:41 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 304A112B03F for <tls@ietfa.amsl.com>; Tue, 7 Jun 2016 14:41:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FAYKmKpIVGeg for <tls@ietfa.amsl.com>; Tue, 7 Jun 2016 14:41:00 -0700 (PDT)
Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51D5412B00D for <tls@ietf.org>; Tue, 7 Jun 2016 14:41:00 -0700 (PDT)
Received: by mail-yw0-x229.google.com with SMTP id h19so183069048ywc.0 for <tls@ietf.org>; Tue, 07 Jun 2016 14:41:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-transfer-encoding:message-id; bh=Ys3aEFr6sy9REoxr6mF4kjDFmDrav6fdRrjwtuMdsBI=; b=Td0GMKhSf90Uy1aLq/p6AwN83SHO36pIQgm2gKGAl5VJtNygj7F+5lWbl2103dIpzh chgHPtE5jPQ0MdAJlL0qN8br/1Xb5ShgHfWbBUGsVDLGPRx4rk9u3RiDzn2bsoeRoLTN tLiksaFvJ8XYImzm1F7w/qIh2lUONgRDTg3n0184BpdPbwiTywCMYYmZpTS+yec2NxcH 2wEGqaz+kk6Apkg1svl/uIWRSqQbX2JdMNYsnuj/HDGyso9/jA/8D6RPI+pKjClVW/Zy ZkfENWx40dB/0L0g2gF0P3tKEaBkbAurWaQwGgy+oI6twaQ030DA1on1v7DTtZN0Noae cs9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-transfer-encoding:message-id; bh=Ys3aEFr6sy9REoxr6mF4kjDFmDrav6fdRrjwtuMdsBI=; b=bIVbvSWkwSfokJ2mZeecKAMnpsPzEO53OsfZ9WhdEHs2CGOvq7agNIrLq5e89QYKoz 9I2Lsv5YgN9b0VKGY/Q2dG0zjGuPYjHp5FgBNbBRbWOvo+DKbkOo03JenD9QDliM8kQW Y9oU1QonyROzcUayBFgfmgsnmQYHvVggGv1ZjawLBTse21xSfu29ZD8euQMDCVALYbJt GtDjNpawPYwneg2qFQfZKYKUFOQ2wz3GSzWDR973LC4GYUsV1IchiThL5AqO7AQ/EQfn z6keKxoWM7vp8knjREFmalGOvky75bj5Xvz9TFPcBy8gA7AsydgLCQ+PZQEIlhYyPIoq Wgew==
X-Gm-Message-State: ALyK8tKaIH+F4BCm+8MkzocC7wwV6vxqBS9J9+tsKqULCMSLxvj1MixmdaB0dF7ZhpPl6w==
X-Received: by 10.13.238.69 with SMTP id x66mr1007482ywe.15.1465335659611; Tue, 07 Jun 2016 14:40:59 -0700 (PDT)
Received: from dave-laptop.localnet (pool-71-185-27-22.phlapa.fios.verizon.net. [71.185.27.22]) by smtp.gmail.com with ESMTPSA id w192sm15531790ywd.34.2016.06.07.14.40.59 (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 07 Jun 2016 14:40:59 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Tue, 7 Jun 2016 17:40:57 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <CAF8qwaDuGyHOu_4kpWN+c+vJKXyERPJu-2xR+nu=sPzG5vZ+ag@mail.gmail.com> <60729080-E56E-41D5-AAB0-FAD46FCE1C00@gmail.com> <CAF8qwaByu9+Smb7Bt9H+ffDozO7J49RBzOez1dVGmfi_3w-jXw@mail.gmail.com>
In-Reply-To: <CAF8qwaByu9+Smb7Bt9H+ffDozO7J49RBzOez1dVGmfi_3w-jXw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <201606071740.58077.davemgarrett@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/anunVTBrYq1canj-LC_dS9qgGLs>
Subject: Re: [TLS] [FORGED] Re: no fallbacks please [was: Downgrade protection, fallbacks, and server time]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2016 21:41:02 -0000

On Tuesday, June 07, 2016 05:08:00 pm David Benjamin wrote:
> On Tue, Jun 7, 2016 at 5:06 PM Yoav Nir <ynir.ietf@gmail.com>; wrote:
> > > On 7 Jun 2016, at 8:33 PM, Hubert Kario <hkario@redhat.com>; wrote:
> > > On Tuesday 07 June 2016 17:36:01 Yoav Nir wrote:
> > >> I’m not sure this helps.
> > >>
> > >> I’ve never installed a server that is version intolerant. TLS stacks
> > >> from OpenSSL, Microsoft,
> > >
> > > are you sure about that Microsoft part?
> > >
> > > there is quite a long thread on the filezilla forums about TLS version
> > > tolerance in IIS:
> > > https://forum.filezilla-project.org/viewtopic.php?f=2&t=27898
> >
> > That’s surprising.
> >
> > The last time I tested with an IIS servers it was Windows Server 2003 and
> > 2008. They did not support TLS 1.2, so I wanted to check if they could
> > tolerate a TLS 1.2 ClientHello. They did. Of course, they replied with TLS
> > 1.0, but that was expected.
> >
> > It’s strange that this behavior would degrade for much newer versions of
> > Windows that came out at a time where several browsers were already
> > offering TLS 1.2. I wonder if it’s just the FTP or also IIS.
> 
> This is the first I've heard of this and I believe neither Chrome nor
> Firefox accept TLS 1.2 intolerance and below anymore. To my knowledge, that
> has successfully been driven out of the ecosystem.

<insert sarcastic laughter here> ;)

Driven out of the higher traffic mainstream ecosystem, maybe, but there will be a long tail of junk servers that stay around for entirely too long (read: "forever"), in spite of current versions of clients not accepting it anymore. My tracking meta-bug in Mozilla's Bugzilla may have finally been closed last month, but that's just tickets filed by people who can actually get a report into the thing. Most people just see such brokenness as the browser's fault and switch to any (older) browser with compatible brokenness, and to any of us they're invisible.

The non-trivial population of servers that are TLS 1.0-1.2 version tolerant but not TLS 1.3+ version tolerant is a far more worrying problem, though.


Dave