IETF Logo Mail Archive

Re: [TLS] Prohibiting SSL 3.0

Watson Ladd <watsonbladd@gmail.com> Fri, 31 October 2014 01:56 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 194E21A8A52 for <tls@ietfa.amsl.com>; Thu, 30 Oct 2014 18:56:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mdO1ilg9xoyT for <tls@ietfa.amsl.com>; Thu, 30 Oct 2014 18:56:20 -0700 (PDT)
Received: from mail-yh0-x22e.google.com (mail-yh0-x22e.google.com [IPv6:2607:f8b0:4002:c01::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51A9F1A8A60 for <tls@ietf.org>; Thu, 30 Oct 2014 18:56:20 -0700 (PDT)
Received: by mail-yh0-f46.google.com with SMTP id a41so2233900yho.5 for <tls@ietf.org>; Thu, 30 Oct 2014 18:56:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=KVT9lJPk9IK8b8hgIrhOe3LYuLZ0kR0qK7FVTCf03Dg=; b=A8hzpoCgdl6QXlmZllMaTdD0LG17Txo/iuIdmPlQes9/q6EVf+0BpASL9iSj+UT8In ynA4001ItBFcBIW1O/3Gs6oXyXYqaxYeQWzqhQuhwjbxH6fULFcs6QvHqr3hXFRFEil+ +ow6YstfIo4L2IyLKAHaIuD9ji5bN2oePcJmvo8Ue1zpVWi0POxbJLZzVe+4zZUvRFSb dVIVFXIPdlr5zG4SC4b0WGpa7vegGJbMSExuzuszT6h+KdJVcpSq2NxN6X3hleB66uwz xoUX1Avu0UyMWWM0bALWgQqpX4+wEXfhrL2tO8POFb4f2D4BPyILm5LgSAFVQ9hyllVB tgjA==
MIME-Version: 1.0
X-Received: by 10.236.2.5 with SMTP id 5mr5517545yhe.179.1414720579699; Thu, 30 Oct 2014 18:56:19 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Thu, 30 Oct 2014 18:56:19 -0700 (PDT)
In-Reply-To: <20141031010310.2F9631AF6E@ld9781.wdf.sap.corp>
References: <BLU177-W4981235CC3AA2325B8CC01C39F0@phx.gbl> <20141031010310.2F9631AF6E@ld9781.wdf.sap.corp>
Date: Thu, 30 Oct 2014 18:56:19 -0700
Message-ID: <CACsn0cn0CFxt-tnnkTr8OF41uLxx8SGTNM8yK90SUiJDPgcN_Q@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "mrex@sap.com" <mrex@sap.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/dA6mvlhRwrOJysH8tDBrNQ-Q4Ck
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Prohibiting SSL 3.0
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Oct 2014 01:56:23 -0000

On Thu, Oct 30, 2014 at 6:03 PM, Martin Rex <mrex@sap.com> wrote:
> Yuhong Bao wrote:
>> I hope that a Internet-Draft prohibiting SSL 3.0 will be next.
>> Maybe make an exception for things like browser download sites
>> (it is easy to enable TLS 1.0 in IE6 but for these kind of sites
>>  it is probably not worth the effort).
>
> No, why?
>
> This may be unknown to you, but SSLv3 is still perfectly safe to use
> within its stated design goals.  Even within the Design Goals stated
> for TLSv1.2!
>
> Remember the TLSv1.2 product warning label:
>
>   https://tools.ietf.org/html/rfc5246#page-16
>
>    Any protocol designed for use over TLS must be carefully designed to
>    deal with all possible attacks against it.  As a practical matter,
>    this means that the protocol designer must be aware of what security
>    properties TLS does and does not provide and cannot safely rely on
>    the latter.
>
> And recap the stated properties of the protocol:
>
>   https://tools.ietf.org/html/rfc5246#appendix-F
>
>   https://tools.ietf.org/html/rfc5246#appendix-F.2

Those sources say TLS provides a secure channel. Maybe that means
something different to you then me, but to me that means
INT-PTXT+IND-CCA2, aka "looks like a wire strung between the
machines", aka "I can do what I want, and an attacker will have no
hope". Or was this warning intended to be "don't trust this with
anything important, because it can bite"?

Your reading amounts to saying, that because TLS is insecure, the
provided properties are empty, and that's fine. I think most people
would disagree with that assertion, especially given the detailed
enumeration of security properties following that quote.

>
>
> TLS up to and including TLSv1.2 similar to its predecessor SSLv3
> *NEVER* *EVER* promised to provide any protection against attacks
> such as BEAST, CRIME, Poodle or the RC4-attacks.  All of these
> attacks have the prerequiste of almost full control over the behaviour
> of an endpoint.  Remove the control-over-the-endpoint from these
> attack scenarios, and none of these attacks will be possible anymore.

So TLS wasn't designed to satisfy standard security properties?
Browsers were never intended to run Javascript?

This seems like an argument for replacing TLS with something secure.

>
> Btw. when I just did online-banking a few hours ago, I noticed
> a longer numeric "token" variable at the end of the URL that changed
> with every mouseclick and navigation on the page.  Seems like someone
> properly realized that the root of all evil is applications on top
> of TLS using disclosing authentication schemes.

No, the root of all evil is hiring a biology student for a summer to
make a security protocol. It's a miracle SSLv3 works at all, showing
that the Lord protects drunks, fools, and interns.

(Also, that's for CSRF protection. The authentication is probably by a
cookie, and if that cookie is stolen, the CSRF protection doesn't stop
an attacker from going to the login form, which checks that the user
is logged in and kaboom. Changing authorization cookies shouldn't be
necessary: the only reason you are proposing it is that SSL v3 fails
to provide necessary security properties.)

>
>
>
> Poodle targets the final block of CBC padding, and has an "efficiency"
> of recovering 1 byte of plaintext per 256 TLS sessions during which
> the server encounters 255 MAC errors on the app data (something that
> normally occurs one per week or less).
> As such Poodle looks like an extremely "noisy" attack to me.

Okay, so the server logs the MAC errors, and then what happens? And
why should I have to watch the logs to ensure that I'm not being
attacked when I turned on SSL? It's secure ainit?

>
>
> The plaintext pattern that Poodle is trying to achieve for the final
> CBC block of an SSL record looks like this:
>
>        64-bit blockcipher (DES, 3DES, IDEA)
>                  XX XX XX XX XX XX XX 07
>       128-bit blockcipher (AES, CAMELIA, SEED, CAST):
>                  XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX 0F
>
>
> Does anyone remeber Serge Vaudenay's original problem as a result from
> the incorrect ordering of pad and mac in the SSL GenericBlockCipher
> PDU processing, i.e.
> the use of the unsafe "mac + pad + encrypt"
> rather than a safe "pad + mac + encrypt":
>
>        http://lasec.epfl.ch/php_code/publications/search.php?ref=Vau01
>        http://lasec.epfl.ch/php_code/publications/search.php?ref=Vau02a
>
> Didn't the the plaintext pattern that Vaudenay suggested in trying to
> achieve for the final CBC block look like this:
>
>        64-bit blockcipher (DES, 3DES, IDEA)
>                  XX XX XX XX XX XX XX 00
>       128-bit blockcipher (AES, CAMELIA, SEED, CAST):
>                  XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX 00
>
> I can not see much of a difference between original Vaudenay and Poodle,
> and the efficieny is exactly the same: plaintext recovery of 1 byte per 256
> TLS sessions.

Yes, Bodo Moeller and I already noted this in several emails to
various mailing lists, Kenny Paterson said this on Twitter, etc.

>
>
> Just that the TLS WG actually *NEVER* followed Vaudenay's advice
> by moving to "pad + mac + encrypt", which would have reliably
> thwarted Lucky thirteen and Poodle.

They also didn't follow the advice of everyone else to encrypt then
mac, which would have fixed it. Furthermore, we did finally publish an
encrypt then MAC draft, which also fixes the problem, about 13 years
later.

>
> If there was ever reason to "Panic", this was back in 2001 when the
> problem was first described.  IMHO.

So why don't we fix it now? And why didn't you discover it yourself,
or propose a fix then? Every single time we've tried to solve
problems, you've insisted that they are really the user's problem. And
when these problems are rediscovered, you now argue we should have
fixed them the first time, and that we didn't shows how unimportant
they are, even when they steal someones money live on stage as a
demonstration.

In fact, you've even gone so far as to claim issues you thought were
security flaws when you discovered them, weren't. What's the goal
here? To get the WG to give up and never change the protocol ever
again?

Sincerely,
Watson Ladd

>
>
> -Martin
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email