IETF Logo Mail Archive

Re: [TLS] Should we require implementations to send alerts?

Dave Garrett <davemgarrett@gmail.com> Thu, 17 September 2015 22:15 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7400C1A1B85 for <tls@ietfa.amsl.com>; Thu, 17 Sep 2015 15:15:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1OyhRR2_y0rd for <tls@ietfa.amsl.com>; Thu, 17 Sep 2015 15:15:30 -0700 (PDT)
Received: from mail-qg0-x233.google.com (mail-qg0-x233.google.com [IPv6:2607:f8b0:400d:c04::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D4E11A1B84 for <tls@ietf.org>; Thu, 17 Sep 2015 15:15:30 -0700 (PDT)
Received: by qgev79 with SMTP id v79so25211366qge.0 for <tls@ietf.org>; Thu, 17 Sep 2015 15:15:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=VAIpax8rx+ErSy26RWQmrC5Zul5qGurusU1qS18Zu04=; b=hoyTmnIfz/eU5DER38LM1ExEMZ8syrpV7eauiWl2ImXRymhDAt+17sxNYbV8E1Pk8x HTZpWUi+clhj1tR6MxuZoUQ8mDi66QyR6t63PH9IKJ5P/1Na6HOSKNkcdJkDSlXN48Y8 BP2mo3fZHtzaDNWNfwqQIMfhSZlpi6BBiu+xHh7p7/NpNE4W4s/1QnA8CsnHqRnV6gLE L4vAv7zK4S2EYL1beuSeBojTqyVCIl9HnqJXvGXje++bPGTL37eqmsOniOkWGj1bpXdF hgcLjw65x5wPyBXjIx4hFFJ4i2xqlNo6u4BZqwHPNFPs0gSuLggKMrrziYfzGKJuguCM nqvg==
X-Received: by 10.140.104.51 with SMTP id z48mr2770161qge.21.1442528129285; Thu, 17 Sep 2015 15:15:29 -0700 (PDT)
Received: from dave-laptop.localnet (pool-72-94-152-197.phlapa.fios.verizon.net. [72.94.152.197]) by smtp.gmail.com with ESMTPSA id g197sm2186304qhc.35.2015.09.17.15.15.28 (version=TLSv1 cipher=RC4-SHA bits=128/128); Thu, 17 Sep 2015 15:15:28 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: Brian Smith <brian@briansmith.org>
Date: Thu, 17 Sep 2015 18:15:27 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <CABcZeBPnO4zn_HkvwLpLC+EVYN8EKOBEsR80oRt3HZgsiNGDoQ@mail.gmail.com> <20150917215515.GY13294@localhost> <CAFewVt5g_+beKQCg4Y+a7b6QcuJSRXcRm+wY+upDYAusJoRa8Q@mail.gmail.com>
In-Reply-To: <CAFewVt5g_+beKQCg4Y+a7b6QcuJSRXcRm+wY+upDYAusJoRa8Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201509171815.27842.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/b8ZpCzxTwEHNqkpi7ZEv0FnpPt8>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Should we require implementations to send alerts?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2015 22:15:31 -0000

On Thursday, September 17, 2015 06:00:05 pm Brian Smith wrote:
> There's no evidence that the presence or absence of an alert when a
> connection is closed makes any positive difference in the security of any
> non-secure fallback mechanism. Keep in mind that the alerts during the
> handshake are NOT authenticated, and the TLS threat models thus assumes
> that the attacker can remove or alter them.

The whole handshake is retroactively authenticated upon completion. Just because an attacker can muck up the attempt to connect, doesn't mean all hope is lost.

The primary benefit with the version alert, specifically, is that it allows a client to at least have a clue as to what to attempt.

Without alert:
client tries
server stares blankly into the void and/or drops abruptly
now, what does the client do? try again as-is, or try again with old stuff?

With alert:
client tries
if server responds with an alert, react to it
if not, try again until there's a response; give up eventually

Sure, a MitM could try to downgrade by injecting an unauthenticated alert into the mix, but the handshake will fail once that is authenticated at the end.

Just as the obvious footnote: it's impossible to make any of this resistant to an attacker killing the connection. Just assume that's always possible, at minimum with wirecutters. The goal is security or bust. Alerts give clients the confidence to actually bust when they have to.


Dave

v2.23.0 | Report a Bug | By Email