Re: [TLS] simplistic renego protection
"Robert Dugal" <rdugal@certicom.com> Wed, 18 November 2009 12:48 UTC
Return-Path: <rdugal@certicom.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 90D023A6A3F for <tls@core3.amsl.com>; Wed, 18 Nov 2009 04:48:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.203
X-Spam-Level:
X-Spam-Status: No, score=-5.203 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xpndSnXxx3eI for <tls@core3.amsl.com>; Wed, 18 Nov 2009 04:48:41 -0800 (PST)
Received: from mhs04ykf.rim.net (mhs04ykf.rim.net [216.9.243.82]) by core3.amsl.com (Postfix) with ESMTP id 3D08E3A6A48 for <tls@ietf.org>; Wed, 18 Nov 2009 04:48:39 -0800 (PST)
X-AuditID: 0a666446-b7b5eae0000003bc-d3-4b03ed242355
Received: from XCH38YKF.rim.net ( [10.64.31.208]) by mhs04ykf.rim.net (RIM Mail) with SMTP id 23.9C.00956.42DE30B4; Wed, 18 Nov 2009 07:48:36 -0500 (EST)
Received: from XCH57YKF.rim.net ([10.64.31.54]) by XCH38YKF.rim.net with Microsoft SMTPSVC(6.0.3790.3959); Wed, 18 Nov 2009 07:48:36 -0500
x-mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
content-transfer-encoding: quoted-printable
Date: Wed, 18 Nov 2009 07:39:20 -0500
Message-ID: <7E1DF37F1F42AB4E877E492C308E6AC40251FFD4@XCH57YKF.rim.net>
In-Reply-To: <20091117175000.653E669FBC6@kilo.networkresonance.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] simplistic renego protection
Thread-Index: AcpnrjHa7BtLzM/dQ0S4W6fTw5BNeQAnTqLg
References: <200911161725.nAGHPWaA014181@fs4113.wdf.sap.corp><089F31C221374096B0FE619F@446E7922C82D299DB29D899F><4B02A084.9030903@cs.tcd.ie> <20091117175000.653E669FBC6@kilo.networkresonance.com>
From: Robert Dugal <rdugal@certicom.com>
To: Eric Rescorla <ekr@networkresonance.com>
X-OriginalArrivalTime: 18 Nov 2009 12:48:36.0277 (UTC) FILETIME=[71B26E50:01CA684D]
X-Brightmail-Tracker: AAAAAgAAAZERyCBQ
Cc: tls@ietf.org
Subject: Re: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2009 12:48:42 -0000
I noticed you said this in the jabber log http://www.ietf.org/jabber/logs/tls/2009-11-12.txt [06:31:06] <EKR> It occurred to me the other day that there is a special case where hte server does not need to refuse renegotiation: when the client has sent no data yet. [06:31:20] <EKR> This would allow step-up/SGC to continue to work 9assuming we cared it) Our products do support step-up/SGC and some customers may still be using it, or at least have servers with SGC certificates. Since there is no vulnerability is this special case, should some note be added to the draft? -- Robert Dugal Senior Software Developer Certicom Corp. A Subsidiary of Research In Motion rdugal@certicom.com direct 905.501.3848 fax 905.507.4230 www.certicom.com -----Original Message----- From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of Eric Rescorla Sent: Tuesday, November 17, 2009 12:50 PM To: Stephen Farrell Cc: Chris Newman; tls@ietf.org Subject: Re: [TLS] simplistic renego protection At Tue, 17 Nov 2009 13:09:24 +0000, Stephen Farrell wrote: > Having watched the recent list traffic I find the above convincing. > I'd love to see a -01 of the above containing the changes EKR has > mentioned already, and then a WGLC on that. I just submitted an -01 version of the draft. This includes the following changes: 1. Clarification of the encoding of the extension per the issue by Eric Young and Nelson Bolyard. 2. A bunch of discussion of fallback and the downgrade issue. 3. A SHOULD level requirement that implementations which simply reject negotiation still provide an empty extension when requested by the client, thus signalling that they have been updated. 4. A new section 4.3.1 that describes a magic cipher suite to be used to prevent downgrade attack on implementations which fall back to no extensions on handshake failure. I've left point (4) as an OPEN ISSUE because it wasn't clear to me what the WG feeling was. My general feeling is that it's not necesary: SSLv3 servers which upgrade to fix this issue by refusing renegotiation can easily arrange to simply ignore the extension, at which point no downgrade attack is possible. Servers which don't do even this can be presumed to be vulnerable and it doesn't seem that bad to simply fail in this small number of cases. That said, I don't have a problem with this feature f the WG wants to since it's not being used by negotiation but merely as a failsafe, and I thought it was important to get a concrete proposal for this mechanism on the table. -Ekr _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls --------------------------------------------------------------------- This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
- Re: [TLS] simplistic renego protection Chris Newman
- [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Joseph Salowey (jsalowey)
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Nelson B Bolyard
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection peter.robinson
- Re: [TLS] simplistic renego protection Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] simplistic renego protection Stephen Farrell
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Nasko Oskov
- Re: [TLS] simplistic renego protection Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Yair Elharrar
- Re: [TLS] simplistic renego protection Steve Dispensa
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Robert Dugal
- Re: [TLS] simplistic renego protection Pasi.Eronen
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Simon Josefsson
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Eric Rescorla
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Nasko Oskov
- Re: [TLS] simplistic renego protection Nelson B Bolyard
- Re: [TLS] simplistic renego protection Nelson B Bolyard
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Michael D'Errico
- Re: [TLS] simplistic renego protection Nelson B Bolyard
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- [TLS] Definition of "lenient server" David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Ben Laurie
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Bill Frantz
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Stefan Santesson
- Re: [TLS] simplistic renego protection Marsh Ray
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Ben Laurie
- Re: [TLS] simplistic renego protection David-Sarah Hopwood
- Re: [TLS] simplistic renego protection Ben Laurie
- Re: [TLS] simplistic renego protection Pasi.Eronen
- Re: [TLS] simplistic renego protection Martin Rex
- Re: [TLS] simplistic renego protection Pasi.Eronen
- Re: [TLS] simplistic renego protection Yngve Nysaeter Pettersen
- Re: [TLS] simplistic renego protection Peter Gutmann
- Re: [TLS] simplistic renego protection Kyle Hamilton