Re: [TLS] Cipher suite values to indicate TLS capability

Nikos Mavrogiannopoulos <nmav@gnutls.org> Fri, 08 June 2012 07:35 UTC

Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFCDD21F86D4 for <tls@ietfa.amsl.com>; Fri, 8 Jun 2012 00:35:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YXcnyvb9FNk8 for <tls@ietfa.amsl.com>; Fri, 8 Jun 2012 00:35:10 -0700 (PDT)
Received: from mail-ey0-f172.google.com (mail-ey0-f172.google.com [209.85.215.172]) by ietfa.amsl.com (Postfix) with ESMTP id 1AEFB21F8564 for <tls@ietf.org>; Fri, 8 Jun 2012 00:35:09 -0700 (PDT)
Received: by eaaq13 with SMTP id q13so1011362eaa.31 for <tls@ietf.org>; Fri, 08 Jun 2012 00:35:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; bh=uVHT2k+o2wkqnYJBjQEFq8g5IAbbzLjRiCYPGJLob3E=; b=kACnpskdClxgqB/rld6qLEE9f+k7ZyU85EMmgPRPiGzSpkaJV/snZ+/M3jGXE4coyV tfaZ/tlRfwi8yFOa4UQPZ3lMW28wvXQkPCUQ9NTyLsd6FySDiMuz3yE+uK954Fs0Yxjl 6GoGPdDiJnhzWszRzrGHTymw22ChXKElV3z+5N3uUuW0/0HyefrHeEo4MhvZtWZZjuV4 FpVPUVTvhxKw08pYA5euM1av/rp+molTWKY2s7L+uSyzarYSUKUQGcprw4LWN2/RB8x6 g6p8sfiwwCkH1GsKLQnf615lpxLosQwJ1Y+uyV0WTrEZKdTP5Ok+HTBaQyrT/BdhI5hw hJlg==
Received: by 10.14.96.73 with SMTP id q49mr3209286eef.76.1339140909148; Fri, 08 Jun 2012 00:35:09 -0700 (PDT)
Received: from [10.100.2.14] (d51A49E78.access.telenet.be. [81.164.158.120]) by mx.google.com with ESMTPS id f16sm19093043eec.2.2012.06.08.00.35.07 (version=SSLv3 cipher=OTHER); Fri, 08 Jun 2012 00:35:08 -0700 (PDT)
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <4FD1AB25.7070101@gnutls.org>
Date: Fri, 08 Jun 2012 09:35:01 +0200
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.4) Gecko/20120510 Icedove/10.0.4
MIME-Version: 1.0
To: Tom Ritter <tom@ritter.vg>
References: <CAL9PXLwdQctUub5oPx0tepsfveDo0bNKGBUaUBBFeq4u4D0BbA@mail.gmail.com> <CADKevbAnT7AVn_cN+7WcBLfK8G4vkKns3GqQP1QQQ__96SD_6A@mail.gmail.com> <002AA72F-D47E-4C7C-930C-D78A0E48D059@checkpoint.com> <CADKevbBxUGwRtLs=u-pmOHtQ9HP4ERvxpvKJE4BOecLrm8it2g@mail.gmail.com> <CA+cU71nuGwgTc-dHkM_RrVUFZnOOoGkLeq-A2cQoYaobJFQ1zw@mail.gmail.com>
In-Reply-To: <CA+cU71nuGwgTc-dHkM_RrVUFZnOOoGkLeq-A2cQoYaobJFQ1zw@mail.gmail.com>
X-Enigmail-Version: 1.4.1
OpenPGP: id=96865171
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Cipher suite values to indicate TLS capability
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jun 2012 07:35:11 -0000

On 06/08/2012 01:23 AM, Tom Ritter wrote:

> On 7 June 2012 18:34, Chris Richardson <chris@randomnonce.org> wrote:
>> Behind the SCSV is the suggestion is that SSLv3 should be considered
>> harmful.  If SSLv3 is harmful, then why only reject it for
>> TLSv1-capable clients?  Why not reject it for everyone?
>>
>> (One benefit of the SCSV that I can see is that a downgrade-to-SSLv3
>> attack can be detected, which would be an indication that SSLv3 should
>> be considered harmful, even if we don't know why.)
> 
> This proposal, and a few others being worked on in various places, aim
> to address the problem we have with hard fail and backwards
> capability. In some scenarios TLSv1, DNSSEC, DANE, etc all fail not
> because someone is performing an attack, but because some piece of
> software can't handle some portion of the secure protocol.  And
> because Operating Systems and Browsers have an incentive to make
> things work for their users, they retry will less, or no, security.
> Attackers can exploit this mechanism to get the advantages of the
> lesser form (less or no security).
> If we don't move the line in the sand forward, if we don't make a
> decision that says "We will support this buggy or incomplete software
> no more", there's no point in defining new security protocols.  What's
> the point in DNSSEC if it only is used when someone's not attacking
> you?  What's the point in TLSv1, 1.1, or 1.2 if the security gains
> (correct IV, DHE, AEAD, SHA256) will never be realized when there's an
> attacker there?


I don't quite get the point. If the goal of the attacker is to perform
denial of service on the secure protocol so that the user uses the
insecure protocol (plaintext), how does this approach help? It doesn't.

If you want to only prevent against the attacker that wants to rollback
the session to SSL 3.0, then all you need to do is to perform the proper
TLS protocol negotiation, which protects against that. If it doesn't
work warn the user.

In reality however, there is the fact that several buggy servers do not
implement the TLS protocol but rather a wrong variant of it, that fails
performing the fallback.

To account for that issue several browsers perform non-standard TLS
version fallback in a way that is not protected by the handshake.
Hacking the protocol to understand and detect this non-standard fallback
will create another protocol in par with the TLS protocol, which we have
no guarantees that will be better implemented than the original protocol.

What happens if we have a buggy server that incorrectly implements the
fallback detection mechanism? We define another one?

If the problem is incorrect implementations, then just fix the incorrect
implementations. If you cannot, then do not interoperate with them. If
all major browsers do that, the owners would fix it.

My point is that TLS is already complex. Making it more complex will not
make it easier to implement it, but harder, and it will introduce more
points of failure and interoperability rather than less.

regards,
Nikos