IETF Logo Mail Archive

Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv

Watson Ladd <watsonbladd@gmail.com> Tue, 28 January 2014 06:14 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A93801A019D for <tls@ietfa.amsl.com>; Mon, 27 Jan 2014 22:14:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XUtHoxDFlgTT for <tls@ietfa.amsl.com>; Mon, 27 Jan 2014 22:14:36 -0800 (PST)
Received: from mail-wg0-x230.google.com (mail-wg0-x230.google.com [IPv6:2a00:1450:400c:c00::230]) by ietfa.amsl.com (Postfix) with ESMTP id BA79D1A0197 for <tls@ietf.org>; Mon, 27 Jan 2014 22:14:35 -0800 (PST)
Received: by mail-wg0-f48.google.com with SMTP id x13so6853957wgg.15 for <tls@ietf.org>; Mon, 27 Jan 2014 22:14:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=ZXQTilRlOezhEy9RnkSR5WXxOBg/yiIhNMoPW+LKGOY=; b=hAqDlgQJ69utrWJjyI54c6h1f9c8bAzXBZ86+j/jkGTCd6mczh57LEfGa0nSeloOMo 2Hba+W62uvtMx/YJ5cRUJLUhoIjA69FjnKkMfdtysPguqfsYt4XLZBiZ0bEar3vrDzCT fzafUAZYImxzFONjJAEhAQffSk0xO1J3dZwbQUzrbLPeRJcr1Fie1di+PVJSgjg5y1A0 qHg5nTDCQw4/Cihz/asU9s/e5FxtiQDHfvarW9ey0EcLryg/yPZIp7y/UFYO5ZWFwIpO UyN7BeTbM6csLBT7qtnfJ0KWZ8Y1VneQcwanj9xAoQpvmRwhGbN4wViy4EeYcOUWYQnh nyfw==
MIME-Version: 1.0
X-Received: by 10.180.79.7 with SMTP id f7mr827092wix.20.1390889672816; Mon, 27 Jan 2014 22:14:32 -0800 (PST)
Received: by 10.194.250.101 with HTTP; Mon, 27 Jan 2014 22:14:32 -0800 (PST)
In-Reply-To: <20140128024632.F2A8A1ABC9@ld9781.wdf.sap.corp>
References: <CACsn0ckJvRkdsHY9uFzPDh9ceLgc+56KDxRZhMVN_Js7BF=RkQ@mail.gmail.com> <20140128024632.F2A8A1ABC9@ld9781.wdf.sap.corp>
Date: Mon, 27 Jan 2014 22:14:32 -0800
Message-ID: <CACsn0ck9L0gEDgp3-T2b3-xqLnN0k5wDEMhnnZBwaRuLrBp=2g@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: mrex@sap.com, "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Subject: Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2014 06:14:37 -0000

On Mon, Jan 27, 2014 at 6:46 PM, Martin Rex <mrex@sap.com> wrote:
> Watson Ladd wrote:
>> "Martin Rex" <mrex@sap.com> wrote:
>> >
>> > Which server implementers are eager to send such a fatal alert as
>> > is contained in this proposal anyway?  I will certainly ensure that
>> > our server implementation will NEVER grow such silly behaviour.
>>
>> Let me get this straight: all SAP applications will be vulnerable to
>> downgrades even when clients are fixed because that behavior is "silly".
>
> Nope.  We do not implement reconnect fallbacks, so none of our stuff
> is downgradable.
>
> There might be defective browsers who will needlessly downgrade
> to insecure behaviour or suggest end users to not use HTTPS at all,
> but that is a defect of those browsers, not of our server.

So let me get this straight:
Because none of your clients ever need to implement reconnects and
none of your servers are ever
connected to by clients that do, this proposal is a problem for you
because...? You can always not
implement it.

I'm much more inclined to take seriously the complaints from folks who
actually have to live with the
proposal. So far the Firefox and Chrome folks have supported this
proposal. The servers probably will
support it: I think I can do PolarSSL without too much trouble, and
someone far more skilled then me in
arcana can do OpenSSL.

>
>
>>
>> I'm sure your clients will be happy to hear how seriously SAP takes
>> security.
>
> We do take security very seriously.  But we also take robustness,
> support and performance very seriously, but the reconnect fallback
> approach is neither robust, nor supportable and a royal PITA for
> performance.

Yes it is. But the browser folks disagree: being able to connect to a
small minority
of broken servers is worth the pain for them.

>
> How many TLS clients beyond a negligible small amount of browsers
> is doing the reconnect fallbacks anyway? How many POP/IMAP/SMTP/LDAP
> clients and programmatic HTTPS clients is doing reconnect fallbacks?

If they aren't doing fallbacks, then this doesn't affect them. This is
a much easier change
(bail out if you think you can support TLS 1.2) then your proposal.

>
>
> I refuse to blame the apps folks that they will have to jump hoops
> to workaround the botched TLS feature negotiation, rather than fixing
> the TLS feature negotiation within the TLS protocol itself.

Dead hands. Our ability to redo the negotiation at this point is about nil.
I've got no idea why it was done this way
Hopefully with TLS 1.3 we won't screw it up even further: perhaps TLS
1.2.1 is a better
name. The apps folks can always refuse to support servers that can't
negotiate properly.
Or we can make TLS APIs and libraries that handle the uglyness of
reconnection for the apps.

>
> -Martin



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email