Re: [TLS] Version (in)tolerance
Marsh Ray <marsh@extendedsubset.com> Thu, 17 June 2010 14:01 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 76E593A68C1 for <tls@core3.amsl.com>; Thu, 17 Jun 2010 07:01:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.026
X-Spam-Level:
X-Spam-Status: No, score=-0.026 tagged_above=-999 required=5 tests=[AWL=-0.027, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 44Hn3Por8V-w for <tls@core3.amsl.com>; Thu, 17 Jun 2010 07:01:31 -0700 (PDT)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 0C0F83A68A9 for <tls@ietf.org>; Thu, 17 Jun 2010 07:01:31 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OPFex-000Ael-5D; Thu, 17 Jun 2010 14:01:35 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 01D4264D8; Thu, 17 Jun 2010 14:01:32 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1+JLA/0Bq3V9BzRynqhV70hZG8zZDjOxAA=
Message-ID: <4C1A2ABE.4080304@extendedsubset.com>
Date: Thu, 17 Jun 2010 09:01:34 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.8) Gecko/20100216 Thunderbird/3.0.2
MIME-Version: 1.0
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
References: <E1OPEBH-0005cn-UP@wintermute02.cs.auckland.ac.nz>
In-Reply-To: <E1OPEBH-0005cn-UP@wintermute02.cs.auckland.ac.nz>
X-Enigmail-Version: 1.0.1
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Version (in)tolerance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jun 2010 14:01:32 -0000
On 6/17/2010 7:26 AM, Peter Gutmann wrote: > Marsh Ray <marsh@extendedsubset.com> writes: > >> * If an optional protocol feature has no implementations that are available >> and widely used for testing, it can be relied on not to work. > > And that's exactly why I reject major versions other than 3, I have no idea > what version 4 will be or require, and I also have no way of checking that I'm > not subject to some sort of rollback attack or who knows what if I include > handling for a 4.x version. Your implementation is saying to the remote endpoint: "Even though there is a highest protocol version which we both support, and even though I am willing to talk that version in general, I am not willing to handshake you at all because you said you also supported some version higher than that." Again, nowhere in RFC 5246 does it say that a ClientHello client_version.major other than 0x03 will equate to a "4.x" TLS version or give any significance to 4 (other than that it is greater than 3). Instead, it says: > If a TLS server receives a ClientHello containing a version number > greater than the highest version supported by the server, it MUST > reply according to the highest version supported by the server. > So in order to force users to get a version that > deals with whatever security catastrophe 4.x is meant to address, I want to > make sure that they're forced to upgrade. I guess I see some kind of Kafakaesque logic in the idea of an paranoid endpoint gaining security by refusing to interoperate with newer implementations. But why stop there? It would be even more effective for the compromised implementation to delete itself from disk once a higher protocol version is observed on the network. That would also be an elegant solution to the problem of having to work around all those intolerant servers in the fix for catastrophic break. It should probably also trip fail-safe whenever a client proposes a ciphersuite it hasn't seen before. Could be an indication that the one it otherwise would have chosen has a major weakness. Don't forget unexpected compression methods and unknown extensions either! After all, the presence of the new ciphersuite value and/or RI extension is, in fact, an indication that the original protocol had a major flaw. Alternatively, you could log a warning message or find some other means to get the point across. > This was a problem with PGP 2.x, there was never any strong reason for people > to upgrade, and it took forever to get people to move off it (some are still > using it). Someone (from memory it was Jon Callas) has complained that PGP > 2.x needed some fatal flaw found in it to force people to finally move to > OpenPGP. So having a fall-over-and-die trigger can be a good thing, not a > flaw. Cause enough pain for your users and I guess they'll switch to something else. Did you consider that it also causes pain for those trying to fix and extend the protocol using the methods defined in advance for that purpose? When updating the protocol we heard repeatedly that avoiding interop problems with the installed base must be the number one requirement. With the renegotiation bug people insisted it would take forever to get everyone patched. But if the patch did not interop, no one would patch at all. Look back at the mailing list. We knew of a single server on the internet that went into a slow fail condition when it received extension data on a client hello. That was one server was taken seriously as a significant factor in the adoption of the ugly kludge workaround for intolerant. So the effect of that "fall-over-and-die" approach is going to be far more of a hindrance to the adoption of a fix to the protocol than it is likely to protect anyone using such an implementation. If the protocol really turns out to be broken in such a systemic way that "4.x" is only solution, there's a good chance the attacker will be able to undetectably modify the version number your endpoint sees anyway. > In any case though since no-one has any idea what 4.x will be, or why we'd > need to move to it, or whether it will ever appear, this is all just > speculation, it's like arguing over what clothes work best for interstellar > travel. Hmm, I don't really think so. We're talking about specific behavior mandated by the current RFCs and principles which have numerous examples of actual use. It's similar to the warnings-as-errors discussion we were having earlier. Oh and it'll definitely be a silver lame' catsuit for me. :-) - Marsh
- [TLS] Renego Indication RI patch interaction with… Marsh Ray
- Re: [TLS] Renego Indication RI patch interaction … Brian Smith
- Re: [TLS] Renego Indication RI patch interaction … Michael D'Errico
- Re: [TLS] Renego Indication RI patch interaction … Marsh Ray
- Re: [TLS] Renego Indication RI patch interaction … Simon Josefsson
- Re: [TLS] Renego Indication RI patch interaction … Adam Langley
- Re: [TLS] Renego Indication RI patch interaction … Simon Josefsson
- Re: [TLS] Renego Indication RI patch interaction … Brian Smith
- Re: [TLS] Renego Indication RI patch interaction … Marsh Ray
- Re: [TLS] Renego Indication RI patch interaction … Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Renego Indication RI patch interaction … Martin Rex
- Re: [TLS] Renego Indication RI patch interaction … Michael D'Errico
- Re: [TLS] Renego Indication RI patch interaction … Martin Rex
- Re: [TLS] Renego Indication RI patch interaction … Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Renego Indication RI patch interaction … Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] Renego Indication RI patch interaction … Ivan Ristic
- Re: [TLS] Renego Indication RI patch interaction … Peter Gutmann
- Re: [TLS] Renego Indication RI patch interaction … Peter Gutmann
- Re: [TLS] Version (in)tolerance Marsh Ray
- Re: [TLS] Version (in)tolerance Peter Gutmann
- Re: [TLS] Version (in)tolerance Marsh Ray
- Re: [TLS] Version (in)tolerance Martin Rex
- Re: [TLS] Version (in)tolerance Marsh Ray