Re: [TLS] Deployment ... Re: This working group has failed

Hannes Tschofenig <hannes.tschofenig@gmx.net> Sun, 17 November 2013 11:53 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7427F11E8BB2 for <tls@ietfa.amsl.com>; Sun, 17 Nov 2013 03:53:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yn+YF6Pbetu5 for <tls@ietfa.amsl.com>; Sun, 17 Nov 2013 03:53:14 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by ietfa.amsl.com (Postfix) with ESMTP id 635F811E8BB0 for <tls@ietf.org>; Sun, 17 Nov 2013 03:53:14 -0800 (PST)
Received: from masham-mac.home ([81.164.176.169]) by mail.gmx.com (mrgmx102) with ESMTPSA (Nemesis) id 0M03qC-1VPEZh1Ghg-00uFnc for <tls@ietf.org>; Sun, 17 Nov 2013 12:53:13 +0100
Message-ID: <5288AE28.4050109@gmx.net>
Date: Sun, 17 Nov 2013 12:53:12 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130216 Thunderbird/17.0.3
MIME-Version: 1.0
To: Yoav Nir <ynir@checkpoint.com>
References: <CACsn0c=i2NX2CZ=Md2X+WM=RM8jAysaenz6oCxmoPt+LC5wvjA@mail.gmail.com> <52874576.9000708@gmx.net> <5287B4F6.1060102@defuse.ca> <52889ACF.3050302@gmx.net> <11586138-5410-404B-905F-CEA1DEBF6DE1@checkpoint.com>
In-Reply-To: <11586138-5410-404B-905F-CEA1DEBF6DE1@checkpoint.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:Hkm3n5zsOEhhF1Qz58b9r6/0R5DVtmRwtOt7+rku/rZaq5kH/xI 0R6MMujPj6eTalbMPQItNBLGvpPpEJWO4W8pAmfj5+w/8YDz6p931LDexsB0MwzEvYzlqbR xWdLuLiwQV162duss9gim5xmdQafBrvocUsT3YP4NKwPyzqVMM6X/MqWodfrMFUT3sYhJLY GwhMrdMDittrnZXL7A+Pg==
Cc: "tls@ietf.org list" <tls@ietf.org>
Subject: Re: [TLS] Deployment ... Re: This working group has failed
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Nov 2013 11:53:20 -0000

Hi Yoav,

thanks for the response.

I interested in those views only to collect some data points for 
improving the rate of adoption in the future. You might think I am 
strange but I think we should learn from those mistakes and avoid them 
in the future.

 From what you write below I am wondering what TLS libraries these 
problematic servers have been using? Do we know more about that?

Ciao
Hannes

Am 17.11.13 12:12, schrieb Yoav Nir:
>
> On Nov 17, 2013, at 12:30 PM, Hannes Tschofenig
> <Hannes.Tschofenig@gmx.net> wrote:
>
>> Hi Taylor,
>>
>> Would be interesting to hear from someone working for Mozilla (like
>> Ekr, our TLS WG chair) why things are progressing so slowly and
>> what exactly their problem is.
>>
>
> Hi Hannes
>
> We have heard before from people at Google and at Microsoft. Google
> only added TLS 1.2 very recently, and Microsoft added it very early,
> but disabled it by default for a long time.
>
> There were issues with failures of connections attempts using TLS
> 1.2.  There have been issues with 1.1, but 1.2 produced much more of
> them.
>
> 1. TLS 1.2 is the first version to require support of extensions.
> Some servers broke when extensions existed. 2. Some servers broke on
> unrecognized extensions. 3. Some server break on missing extensions -
> certain servers will not accept a TLS 1.2 ClientHello without the
> SignatureAlgorithm extension
>
> Combining 1 & 3, you can't win. Some servers just won't work.
>
> I don't know what changed. Perhaps the percentage of servers that are
> broken like that has diminished. But not it looks like the browser
> vendors have deemed it as sufficiently low to allow them to make this
> on by default.
>
> Yoav
>