[TLS] Viability of fallback SCSV and padding drafts.
Adam Langley <agl@google.com> Thu, 27 February 2014 17:48 UTC
Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C3C41A03A7 for <tls@ietfa.amsl.com>; Thu, 27 Feb 2014 09:48:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.926
X-Spam-Level:
X-Spam-Status: No, score=-1.926 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id seTEV-QkbjW0 for <tls@ietfa.amsl.com>; Thu, 27 Feb 2014 09:48:22 -0800 (PST)
Received: from mail-ve0-x233.google.com (mail-ve0-x233.google.com [IPv6:2607:f8b0:400c:c01::233]) by ietfa.amsl.com (Postfix) with ESMTP id D348F1A0445 for <tls@ietf.org>; Thu, 27 Feb 2014 09:48:21 -0800 (PST)
Received: by mail-ve0-f179.google.com with SMTP id db12so263374veb.38 for <tls@ietf.org>; Thu, 27 Feb 2014 09:48:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:from:date:message-id:subject:to:content-type; bh=aVdylK3eBS4EIeIc7kzve6+wnyTfTe+rLXegWKFjshk=; b=WQg283a2wiY0LGodoZB1XhvWSDqXGrGVQYNYFwjUE0FJuWz66oUIC0oN+xv9/F8wQX wZxGMZbm75xp4/BTNQ3+QgvOCv2YEauJ++WQk8l0p3X6+k3V+TI+0DUUyEb3bkh44OY+ GgtNd/kwL0WUVUwttnivNZlKNSNqxpikGLx4LMRXj+yhS3kMRw9yy+YBOPelrLBfIznW G+JmjGqwyvtBraOgRRecXAAKOdeboAgbVR1iorBYWRaHM3d7G9VJcVHghDYlYMY6RA2I DO7wIu/4DpJIUZprcP9yXF0LLDEqjkGvfKMfwI5LqfDasUgZWhP4FJlbWX0VV/2Krzz9 oBKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=aVdylK3eBS4EIeIc7kzve6+wnyTfTe+rLXegWKFjshk=; b=UAo4+W3RV2ejy0tEZFFH9xw4l7ToK6lRZXTGwwlGYXdQ0aHQYcrEa+4w9d2O9AmXPn ns4LOc1Pj/EmH+mNplpk7dS828YP5MCHoN5rKmj6nw3VFer5hzaVm8Noo+7rJ1KzYU26 kf+CWf8/ATPh98y/gC+IEu6XdRccZWWHWASiurlQKwyIr/Zwjc+FVOXPY8gAoFmw5Xgy fYw/TMgrnzLK8+zCrA1/jOV0S131put2p6yKYB6ZReOBAsr9RuxAGSpjiSZTvJ0ei/zb ivae8vtEQgeMb/NBE10gX6SfzadNI6SdKolJUoGsggRPtSoygiybgz88TL58Un9gFiIv cqMg==
X-Gm-Message-State: ALoCoQlBrm1Zvkql0eVnzu6KaOs+Cx/93Ycb6ycZY2cOfNagcA6Q883eioiftObn0QbXMtUtNf4Istns4ahpRQK8xV4HsyBq985OunSF8lRiEprgOhz2G0dN/yZkS04GHroWKhOPiihIWW5KX55qogcR9Pee5iYTXRRZRhIbq8Ku2mz0/PgK+VEConP0q5DcedvVMLeRWXTy
X-Received: by 10.52.122.14 with SMTP id lo14mr1810686vdb.38.1393523299661; Thu, 27 Feb 2014 09:48:19 -0800 (PST)
MIME-Version: 1.0
Received: by 10.52.104.37 with HTTP; Thu, 27 Feb 2014 09:47:59 -0800 (PST)
From: Adam Langley <agl@google.com>
Date: Thu, 27 Feb 2014 12:47:59 -0500
Message-ID: <CAL9PXLw8zF4trB4btCPR-NPT7gZhdOtsDCr4PGckrHHpD1BH-Q@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/dCIIbgHZs-MEpE3G6SEI0e6NDBc
Subject: [TLS] Viability of fallback SCSV and padding drafts.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Feb 2014 17:48:24 -0000
Chrome 33 went stable[1] on the 20th and contained implementations of both the fallback SCSV[2] and padding drafts[3]. The fallback SCSV is also enabled for Google properties. Of the two, padding was significantly more trouble. In order to flush out problems, Chrome 33 pads all ClientHellos to 512 bytes, whether they would have been smaller than 256 bytes or not. One, Windows based, "anti-virus" product broke because it made assumptions about the maximum size of a ClientHello. One network middleware product broke for the same reasons. Both have now been updated. (Thankfully, the design of the network middleware was such that it could be updated for all users.) A second, "anti-virus" product also broke, Kaspersky, and it's unclear which of the two changes caused the problem. Kaspersky has a history of such issues but the TLS MITM mode is disabled by default and this has not been a major source of user feedback. It's possible that smaller breakages have also occurred but I've seen no evidence of that yet. We continue to follow up on user reports in case there's something that got missed. We're going to change Chrome 33 to only pad ClientHellos when needed, but that's the only change scheduled so far. Otherwise both changes are holding steady and appear viable. Cheers AGL [1] http://googlechromereleases.blogspot.com/2014/02/stable-channel-update_20.html [2] https://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-01 [3] https://tools.ietf.org/html/draft-agl-tls-padding-03
- [TLS] Viability of fallback SCSV and padding draf… Adam Langley
- Re: [TLS] Viability of fallback SCSV and padding … Dr Stephen Henson