Re: [TLS] padding bug

Adam Langley <agl@google.com> Fri, 20 September 2013 16:27 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4ACD21F9CAF for <tls@ietfa.amsl.com>; Fri, 20 Sep 2013 09:27:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.777
X-Spam-Level:
X-Spam-Status: No, score=-1.777 tagged_above=-999 required=5 tests=[AWL=0.201, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10x3O8Zv39e9 for <tls@ietfa.amsl.com>; Fri, 20 Sep 2013 09:27:44 -0700 (PDT)
Received: from mail-ob0-x230.google.com (mail-ob0-x230.google.com [IPv6:2607:f8b0:4003:c01::230]) by ietfa.amsl.com (Postfix) with ESMTP id 5228121F9CC7 for <tls@ietf.org>; Fri, 20 Sep 2013 09:27:44 -0700 (PDT)
Received: by mail-ob0-f176.google.com with SMTP id uy5so822581obc.21 for <tls@ietf.org>; Fri, 20 Sep 2013 09:27:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=+0WGKNN54LT5XXuFq8tcaquRgfi2Xt8O3MjG7KwRBpc=; b=FNaE5MWsYVGVQ7Y8vMAHCDt6UyQVzRDLTJ5V365G2Sn0yv9OIqGmCa3xs6djilK19v R2Q3U5CcGLQg8e5UCJA5xSkVBeHw8t7lxan0EZS2c9r+1NJ8X9lLvLiu3JaW+5BUlNWH hMmukhAREz2pGgwBPKpeYh8KhvGdRSHzfq0wWfzBQdnQA61GscWd57QjeG10WzsK0y2J OVzQkkdjCP2YNp+gyhkTutz9UqLfY+HlJB962PsjIhlfgpEN3BLZ5V1bMSi0XhDs4HyB avjMnAw+gn6EoyhCG1m4prPX55LdGBMe9nVzhuxGe59zYzXj9hchXcO0UB4c2V9MzUTD DTvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=+0WGKNN54LT5XXuFq8tcaquRgfi2Xt8O3MjG7KwRBpc=; b=iK+r4QGhCigXR6HlF1htQLdrRiSAkpQB1Dnb/J5uuiNwyqqAibhMB6L9/6tPjhgCRo Rt8Ea/NyIMasx1rScS/d7gywgw9kyWBzpMs65sU/hwRWV7AsCYDOxgXF0NndroJ5tmBk li0EYTE3JhXRQ8aaqgPcEQmS9vnmftrZbJ/mTs8U7J+odkT1i7Cz8/ud9OK/Nm8fom4U FBdFAdwNSUJrH8Kdqjj0bdwqpw7iR7radnHfDdSldEW/hSshludiNgyu8S58JREMwtzp UD/YHX1BfVYpF8dPegfMfH9FqG7P7QclrfOK9pY4nipBiDdLbttsjJOSfAlmrZvyKB6E aaRA==
X-Gm-Message-State: ALoCoQm8NoGveqZ46+dU/lJ644XmUUrCHGBTb4/KrMEMwITZOLX6otTfCDUfPWsFyXgA4BuhMuHctKBDWGq2CbqSVadLoYZ+1DIW+cf927wGxc2Z5xsy/wQf9Hd+/lYsmn0puUxdoBEd3H0W1RyFZ0LD8ZlZi0Nlye8VE57takRm9QF0iwi1+iRf51+qjcrQcniLLaMyB/BR
X-Received: by 10.60.62.4 with SMTP id u4mr6610538oer.35.1379694463825; Fri, 20 Sep 2013 09:27:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.79.105 with HTTP; Fri, 20 Sep 2013 09:27:22 -0700 (PDT)
In-Reply-To: <CABcZeBPTiLM6-6OL8ASo6NJvGkYxc0Mn9CM51e1x0j2Em4tvig@mail.gmail.com>
References: <9A043F3CF02CD34C8E74AC1594475C7355674A34@uxcn10-6.UoA.auckland.ac.nz> <CABcZeBPTiLM6-6OL8ASo6NJvGkYxc0Mn9CM51e1x0j2Em4tvig@mail.gmail.com>
From: Adam Langley <agl@google.com>
Date: Fri, 20 Sep 2013 12:27:22 -0400
Message-ID: <CAL9PXLzJ8w2veoYBuoDPye=i6TdTTho0FZ6A+3HDxjLy0f+VCQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset=UTF-8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] padding bug
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2013 16:27:45 -0000

On Fri, Sep 20, 2013 at 11:52 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> This looks like "meh" to me:
> http://www.ietf.org/mail-archive/web/tls/current/msg09826.html

I think that "meh" is probably a reasonable summary of my post, yes.

If we accept that making any change costs about the same, because the
cost overwhelmingly consists of the amount of time that we have to
wait for deployment, then I'd very much like a better change than
warming up CBC's corpse again.

There is one case where this might not be the case however: an Acme
TLS stack that is basically unmaintained but might be able to hack in
an extension like this. Although I can certainly believe that
something like that exists, nothing is coming to mind but I find cases
of ten year old copies of OpenSSL pretty often.

So I've no objection to this ID, but nor am I esp excited by it.


Cheers

AGL