Re: [TLS] Cipher suite values to indicate TLS capability
Nikos Mavrogiannopoulos <nmav@gnutls.org> Fri, 08 June 2012 07:35 UTC
Return-Path: <n.mavrogiannopoulos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFCDD21F86D4 for <tls@ietfa.amsl.com>; Fri, 8 Jun 2012 00:35:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YXcnyvb9FNk8 for <tls@ietfa.amsl.com>; Fri, 8 Jun 2012 00:35:10 -0700 (PDT)
Received: from mail-ey0-f172.google.com (mail-ey0-f172.google.com [209.85.215.172]) by ietfa.amsl.com (Postfix) with ESMTP id 1AEFB21F8564 for <tls@ietf.org>; Fri, 8 Jun 2012 00:35:09 -0700 (PDT)
Received: by eaaq13 with SMTP id q13so1011362eaa.31 for <tls@ietf.org>; Fri, 08 Jun 2012 00:35:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:openpgp:content-type :content-transfer-encoding; bh=uVHT2k+o2wkqnYJBjQEFq8g5IAbbzLjRiCYPGJLob3E=; b=kACnpskdClxgqB/rld6qLEE9f+k7ZyU85EMmgPRPiGzSpkaJV/snZ+/M3jGXE4coyV tfaZ/tlRfwi8yFOa4UQPZ3lMW28wvXQkPCUQ9NTyLsd6FySDiMuz3yE+uK954Fs0Yxjl 6GoGPdDiJnhzWszRzrGHTymw22ChXKElV3z+5N3uUuW0/0HyefrHeEo4MhvZtWZZjuV4 FpVPUVTvhxKw08pYA5euM1av/rp+molTWKY2s7L+uSyzarYSUKUQGcprw4LWN2/RB8x6 g6p8sfiwwCkH1GsKLQnf615lpxLosQwJ1Y+uyV0WTrEZKdTP5Ok+HTBaQyrT/BdhI5hw hJlg==
Received: by 10.14.96.73 with SMTP id q49mr3209286eef.76.1339140909148; Fri, 08 Jun 2012 00:35:09 -0700 (PDT)
Received: from [10.100.2.14] (d51A49E78.access.telenet.be. [81.164.158.120]) by mx.google.com with ESMTPS id f16sm19093043eec.2.2012.06.08.00.35.07 (version=SSLv3 cipher=OTHER); Fri, 08 Jun 2012 00:35:08 -0700 (PDT)
Sender: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Message-ID: <4FD1AB25.7070101@gnutls.org>
Date: Fri, 08 Jun 2012 09:35:01 +0200
From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.4) Gecko/20120510 Icedove/10.0.4
MIME-Version: 1.0
To: Tom Ritter <tom@ritter.vg>
References: <CAL9PXLwdQctUub5oPx0tepsfveDo0bNKGBUaUBBFeq4u4D0BbA@mail.gmail.com> <CADKevbAnT7AVn_cN+7WcBLfK8G4vkKns3GqQP1QQQ__96SD_6A@mail.gmail.com> <002AA72F-D47E-4C7C-930C-D78A0E48D059@checkpoint.com> <CADKevbBxUGwRtLs=u-pmOHtQ9HP4ERvxpvKJE4BOecLrm8it2g@mail.gmail.com> <CA+cU71nuGwgTc-dHkM_RrVUFZnOOoGkLeq-A2cQoYaobJFQ1zw@mail.gmail.com>
In-Reply-To: <CA+cU71nuGwgTc-dHkM_RrVUFZnOOoGkLeq-A2cQoYaobJFQ1zw@mail.gmail.com>
X-Enigmail-Version: 1.4.1
OpenPGP: id=96865171
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Cipher suite values to indicate TLS capability
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jun 2012 07:35:11 -0000
On 06/08/2012 01:23 AM, Tom Ritter wrote: > On 7 June 2012 18:34, Chris Richardson <chris@randomnonce.org> wrote: >> Behind the SCSV is the suggestion is that SSLv3 should be considered >> harmful. If SSLv3 is harmful, then why only reject it for >> TLSv1-capable clients? Why not reject it for everyone? >> >> (One benefit of the SCSV that I can see is that a downgrade-to-SSLv3 >> attack can be detected, which would be an indication that SSLv3 should >> be considered harmful, even if we don't know why.) > > This proposal, and a few others being worked on in various places, aim > to address the problem we have with hard fail and backwards > capability. In some scenarios TLSv1, DNSSEC, DANE, etc all fail not > because someone is performing an attack, but because some piece of > software can't handle some portion of the secure protocol. And > because Operating Systems and Browsers have an incentive to make > things work for their users, they retry will less, or no, security. > Attackers can exploit this mechanism to get the advantages of the > lesser form (less or no security). > If we don't move the line in the sand forward, if we don't make a > decision that says "We will support this buggy or incomplete software > no more", there's no point in defining new security protocols. What's > the point in DNSSEC if it only is used when someone's not attacking > you? What's the point in TLSv1, 1.1, or 1.2 if the security gains > (correct IV, DHE, AEAD, SHA256) will never be realized when there's an > attacker there? I don't quite get the point. If the goal of the attacker is to perform denial of service on the secure protocol so that the user uses the insecure protocol (plaintext), how does this approach help? It doesn't. If you want to only prevent against the attacker that wants to rollback the session to SSL 3.0, then all you need to do is to perform the proper TLS protocol negotiation, which protects against that. If it doesn't work warn the user. In reality however, there is the fact that several buggy servers do not implement the TLS protocol but rather a wrong variant of it, that fails performing the fallback. To account for that issue several browsers perform non-standard TLS version fallback in a way that is not protected by the handshake. Hacking the protocol to understand and detect this non-standard fallback will create another protocol in par with the TLS protocol, which we have no guarantees that will be better implemented than the original protocol. What happens if we have a buggy server that incorrectly implements the fallback detection mechanism? We define another one? If the problem is incorrect implementations, then just fix the incorrect implementations. If you cannot, then do not interoperate with them. If all major browsers do that, the owners would fix it. My point is that TLS is already complex. Making it more complex will not make it easier to implement it, but harder, and it will introduce more points of failure and interoperability rather than less. regards, Nikos
- Re: [TLS] Cipher suite values to indicate TLS cap… Geoffrey Keating
- [TLS] Cipher suite values to indicate TLS capabil… Adam Langley
- Re: [TLS] Cipher suite values to indicate TLS cap… Adam Langley
- Re: [TLS] Cipher suite values to indicate TLS cap… Geoffrey Keating
- Re: [TLS] Cipher suite values to indicate TLS cap… Adam Langley
- Re: [TLS] Cipher suite values to indicate TLS cap… Adam Langley
- Re: [TLS] Cipher suite values to indicate TLS cap… Geoffrey Keating
- Re: [TLS] Cipher suite values to indicate TLS cap… Adam Langley
- Re: [TLS] Cipher suite values to indicate TLS cap… Chris Richardson
- Re: [TLS] Cipher suite values to indicate TLS cap… Wan-Teh Chang
- Re: [TLS] Cipher suite values to indicate TLS cap… Yoav Nir
- Re: [TLS] Cipher suite values to indicate TLS cap… Yoav Nir
- Re: [TLS] Cipher suite values to indicate TLS cap… Nikos Mavrogiannopoulos
- Re: [TLS] Cipher suite values to indicate TLS cap… Geoffrey Keating
- Re: [TLS] Cipher suite values to indicate TLS cap… Chris Richardson
- Re: [TLS] Cipher suite values to indicate TLS cap… Tom Ritter
- Re: [TLS] Cipher suite values to indicate TLS cap… Nikos Mavrogiannopoulos
- Re: [TLS] Cipher suite values to indicate TLS cap… Adam Langley
- Re: [TLS] Cipher suite values to indicate TLS cap… Nikos Mavrogiannopoulos
- Re: [TLS] Cipher suite values to indicate TLS cap… Adam Langley
- Re: [TLS] Cipher suite values to indicate TLS cap… Martin Rex