IETF Logo Mail Archive

Re: [TLS] Third Option?

Marsh Ray <marsh@extendedsubset.com> Wed, 16 December 2009 22:43 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 26D6E3A6AA2 for <tls@core3.amsl.com>; Wed, 16 Dec 2009 14:43:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.591
X-Spam-Level:
X-Spam-Status: No, score=-2.591 tagged_above=-999 required=5 tests=[AWL=0.008, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oIOswN4Ok4mo for <tls@core3.amsl.com>; Wed, 16 Dec 2009 14:43:17 -0800 (PST)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 3EC9E3A6A8F for <tls@ietf.org>; Wed, 16 Dec 2009 14:43:17 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NL2aE-000Ifk-Qk; Wed, 16 Dec 2009 22:43:02 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id D548C6678; Wed, 16 Dec 2009 22:43:01 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1/46ttyS2e6Lr20SA1qcm/lL0JPfqYqTmQ=
Message-ID: <4B296275.8010108@extendedsubset.com>
Date: Wed, 16 Dec 2009 16:43:01 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Ravi Ganesan <ravi@findravi.com>
References: <3561bdcc0912161417j6cdcfe59l1be2131c9ec27da0@mail.gmail.com>
In-Reply-To: <3561bdcc0912161417j6cdcfe59l1be2131c9ec27da0@mail.gmail.com>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Third Option?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2009 22:43:18 -0000

Ravi Ganesan wrote:
> 
> A third option is to leave renegotiation in, but create an advisory that
> explains the semantics;

What do you (as a vendor) tell your customers when they know they are
vulnerable and call you for a fix?

> namely, it is indeed a RE negotiation, and
> SSL/TLS itself is starting from scratch and not making any assumptions
> about what went before and what came after. A higher layer protocol that
> chooses to mix and match traffic is making assumptions about guarantees
> from the SSL/TLS layer that are certainly not "explicitly" being made
> anywhere.

Netscape's use of renegotiation of from the beginning strongly implies
they believed the guarantees were present when they added it to the
protocol.

There are still ambiguities which indicate an internal inconsistency in
the spec. For example, the spec requires that application data be
allowed to interleave with the renegotiation handshake messages. There
are multiple points during the handshake at which the identity may be
considered to have changed with various degrees of authentication.

The users on this list with the high-bandwidth links to Jupiter (who
were they again?) are quite attached to this feature.

> [...] Anyone reading about this attack from the
> media will have absolutely no clue as to impact.
> 
> Anyone who reads the  the first documents that came out on this issue
> (http://www.phonefactor.com/sslgapdocs/Renegotiating_TLS.pdf and
> http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html)
> would be left with very different perceptions of the magnitude of the
> impact. This is not unnatural in such matters; great minds usually think
> differently...., but after all this discussion perhaps a blurb in the
> draft with advice on who should immediately patch might be useful.

In short, everyone* needs to patch and disable compatible/insecure mode
as soon as is practical.

*Except those who can prove that their endpoint cannot renegotiate and
will never be willing to talk to a server that can possibly renegotiate.
Or is a protocol that perfectly discards all state on every handshake.
This is only possible with direct code inspection and protocol analysis,
and in practice experts have been repeatedly surprised by what attacks
turns out to be possible.

Someone may reply and say "Oh this particular situation doesn't need to
patch" but again, it will likely be because some systems accidentally
fall into a few narrow categories.

- Marsh

v2.23.0 | Report a Bug | By Email