Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]
David Benjamin <davidben@chromium.org> Fri, 03 June 2016 18:20 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1908D12D5FC for <tls@ietfa.amsl.com>; Fri, 3 Jun 2016 11:20:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.125
X-Spam-Level:
X-Spam-Status: No, score=-4.125 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id agFZN4wP_ChE for <tls@ietfa.amsl.com>; Fri, 3 Jun 2016 11:20:03 -0700 (PDT)
Received: from mail-io0-x229.google.com (mail-io0-x229.google.com [IPv6:2607:f8b0:4001:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFCC112D0AE for <tls@ietf.org>; Fri, 3 Jun 2016 11:20:03 -0700 (PDT)
Received: by mail-io0-x229.google.com with SMTP id o189so71818739ioe.2 for <tls@ietf.org>; Fri, 03 Jun 2016 11:20:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=a8tNtndgfZ1z2c6K4tXj+K/ebWAha8WgwjMz3cFfzNM=; b=NXNJgQMnTNEf4baaDIwVtXxOVLu/LH9Ai430/RyxVMorMG21XfPF4nlBHTCDTDtxX3 rCu65Yc2yYIY62hA7hqyHCzh5rPwQ48jDu00GBCkhribmDLwkcWwn7savobyPRxBIBCQ /UoPYDvEX7R5FByb5X98fu/T0h6IpFp17qWuQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=a8tNtndgfZ1z2c6K4tXj+K/ebWAha8WgwjMz3cFfzNM=; b=WNliJa9+wvaPHuL78zGQoJS7I20yaRnYRUg08/1E+DDLj3NsofuAm4+QQZikHn+cyO recl9oV+MlL6mQC/H/xYtqxTN0eZVKd0LQsMDa9iZ7tuvtXBnjYZRkdkAPeC2kB3994G PXfsJgnH+xVBVZAqFYcuSoVh65l3wWdePGLtdU5C16t7hQH5Qm2pstKOV34+UPBq1ZOe gb4i3jVGmtSKG7N/aRqFVsQYyS4l0y4xiq/7BQY2MQY3GBHvX3rkNhlXDtxtrc1sAThp l4jagR9MQYB913+M66VFwg7UwZO56t+3wNAifYZnXrLsjrhm2XIUV7BHBLuq1mcZYeFV tMWw==
X-Gm-Message-State: ALyK8tKjHE9hFNY0zhkhcoYTaJ/47Gbk1H+ScQnZrvRRw9enwdbu53wfpt6TovxbiQliUCTJuB6MT0JPTiwPma5K
X-Received: by 10.107.52.16 with SMTP id b16mr7507374ioa.6.1464978002788; Fri, 03 Jun 2016 11:20:02 -0700 (PDT)
MIME-Version: 1.0
References: <CAF8qwaDuGyHOu_4kpWN+c+vJKXyERPJu-2xR+nu=sPzG5vZ+ag@mail.gmail.com> <CAF8qwaASpH3Fapo61TDBuF35++GyMbZa4c-9Uy-JZ8CKywpAFw@mail.gmail.com> <CABkgnnXs5UBPZRzPoyiVs1R7arBcPV7WuEY692SHkj=doW6bwQ@mail.gmail.com> <201606030017.20760.davemgarrett@gmail.com> <CABcZeBN2UPNng_0zMEE=v1tWnYTep=q2QEmD91FZfWF69NCsMQ@mail.gmail.com> <20160603174050.GD3300@mournblade.imrryr.org>
In-Reply-To: <20160603174050.GD3300@mournblade.imrryr.org>
From: David Benjamin <davidben@chromium.org>
Date: Fri, 03 Jun 2016 18:19:52 +0000
Message-ID: <CAF8qwaCrmLJUwUaaPni_Ts4M2WYB9AAPWYOTzo6+22rx8RSMpA@mail.gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="001a1144180e761584053463c521"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/dQh4uuijigz4CS0Tbm0lNnNPbKU>
Subject: Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jun 2016 18:20:06 -0000
I think I could be convinced in either direction right now. It is definitely ugly and more of a nuisance to implement. The alternative is a fallback and then painfully driving it out later. We've done that before and we have FALLBACK_SCSV and the server_random trick now. At the same time, I am rather bored of this fallback game. We can actually avoid the intolerance problem with this mechanism. Suppose we used empty indicator extensions, one for each new version. Then as long as servers tolerate unknown extensions, we'll be fine. So far this has not rusted yet, and we can defend it from rust by having clients send random fake extensions out of a range of values we burn for this purpose[*] (or private use area). If one extension with a list of values, we can do something similar. (Strictly speaking, the version already does not appear at a fixed position because a ClientHello may be pathologically fragmented. OpenSSL even had CVE-2014-3511 here. I believe the master branch no longer has a sniff-based version negotiation. BoringSSL hasn't for a while now. But rejecting such pathologically fragmented ClientHellos is reasonable and OpenSSL 1.0.x does it now.) David [*] I'm planning on writing something up here soon. On Fri, Jun 3, 2016 at 1:40 PM Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > On Fri, Jun 03, 2016 at 06:39:58AM -0700, Eric Rescorla wrote: > > > My opinion on this hasn't really changed since the last time. This seems > > like it's more complicated and it's not clear to me why it won't lead to > > exactly the same version intolerance problem in future. > > Doing version negotiation through extensions would be a major > implementation burden. At present the client version appears early > in the ClientHello at a fixed position in the packet, and the server > can quickly grab the version, compute the highest shared version > and branch to the protocol implementation for that version to parse > the rest of the ClientHello. > > Putting the client version in an extension dramatically complicates > server-side processing. So my view is that this would not be > progress. This is IMNSHO even less likely to interoperate than > what we have now. > > -- > Viktor. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- Re: [TLS] Downgrade protection, fallbacks, and se… David Benjamin
- Re: [TLS] Downgrade protection, fallbacks, and se… Martin Rex
- [TLS] Downgrade protection, fallbacks, and server… David Benjamin
- Re: [TLS] Downgrade protection, fallbacks, and se… Eric Rescorla
- Re: [TLS] Downgrade protection, fallbacks, and se… David Benjamin
- Re: [TLS] Downgrade protection, fallbacks, and se… Eric Rescorla
- Re: [TLS] Downgrade protection, fallbacks, and se… Martin Thomson
- [TLS] no fallbacks please [was: Downgrade protect… Nikos Mavrogiannopoulos
- Re: [TLS] no fallbacks please [was: Downgrade pro… Yoav Nir
- Re: [TLS] Downgrade protection, fallbacks, and se… Hubert Kario
- Re: [TLS] no fallbacks please [was: Downgrade pro… Hubert Kario
- Re: [TLS] Downgrade protection, fallbacks, and se… David Benjamin
- Re: [TLS] Downgrade protection, fallbacks, and se… Viktor Dukhovni
- Re: [TLS] no fallbacks please [was: Downgrade pro… David Benjamin
- Re: [TLS] Downgrade protection, fallbacks, and se… David Benjamin
- Re: [TLS] Downgrade protection, fallbacks, and se… Hubert Kario
- Re: [TLS] no fallbacks please [was: Downgrade pro… David Benjamin
- Re: [TLS] Downgrade protection, fallbacks, and se… David Benjamin
- Re: [TLS] no fallbacks please [was: Downgrade pro… Hubert Kario
- Re: [TLS] no fallbacks please [was: Downgrade pro… Hubert Kario
- Re: [TLS] Downgrade protection, fallbacks, and se… Viktor Dukhovni
- Re: [TLS] no fallbacks please [was: Downgrade pro… Martin Thomson
- Re: [TLS] no fallbacks please [was: Downgrade pro… Dave Garrett
- Re: [TLS] no fallbacks please [was: Downgrade pro… Nikos Mavrogiannopoulos
- Re: [TLS] no fallbacks please [was: Downgrade pro… Ilari Liusvaara
- Re: [TLS] no fallbacks please [was: Downgrade pro… Hubert Kario
- Re: [TLS] no fallbacks please [was: Downgrade pro… Xiaoyin Liu
- Re: [TLS] no fallbacks please [was: Downgrade pro… Hubert Kario
- Re: [TLS] no fallbacks please [was: Downgrade pro… Eric Rescorla
- Re: [TLS] no fallbacks please [was: Downgrade pro… Andrei Popov
- Re: [TLS] no fallbacks please [was: Downgrade pro… Eric Rescorla
- Re: [TLS] no fallbacks please [was: Downgrade pro… Viktor Dukhovni
- Re: [TLS] no fallbacks please [was: Downgrade pro… David Benjamin
- Re: [TLS] no fallbacks please [was: Downgrade pro… Dave Garrett
- Re: [TLS] no fallbacks please [was: Downgrade pro… Bill Frantz
- Re: [TLS] Downgrade protection, fallbacks, and se… Yaron Sheffer
- Re: [TLS] Downgrade protection, fallbacks, and se… Stefan Winter
- Re: [TLS] no fallbacks please [was: Downgrade pro… Hubert Kario
- Re: [TLS] [FORGED] Re: no fallbacks please [was: … Peter Gutmann
- Re: [TLS] [FORGED] Re: no fallbacks please [was: … Peter Gutmann
- Re: [TLS] no fallbacks please [was: Downgrade pro… Dave Garrett
- Re: [TLS] no fallbacks please [was: Downgrade pro… Jeffrey Walton
- Re: [TLS] [FORGED] Re: no fallbacks please [was: … Peter Gutmann
- Re: [TLS] [FORGED] Re: no fallbacks please [was: … Kyle Rose
- Re: [TLS] [FORGED] Re: no fallbacks please [was: … Hubert Kario
- Re: [TLS] [FORGED] Re: no fallbacks please [was: … Yoav Nir
- Re: [TLS] [FORGED] Re: no fallbacks please [was: … Salz, Rich
- Re: [TLS] [FORGED] Re: no fallbacks please [was: … Yoav Nir
- Re: [TLS] [FORGED] Re: no fallbacks please [was: … Hubert Kario
- Re: [TLS] [FORGED] Re: no fallbacks please [was: … Yoav Nir
- Re: [TLS] [FORGED] Re: no fallbacks please [was: … David Benjamin
- Re: [TLS] [FORGED] Re: no fallbacks please [was: … Andrei Popov
- Re: [TLS] [FORGED] Re: no fallbacks please [was: … Yuhong Bao
- Re: [TLS] [FORGED] Re: no fallbacks please [was: … Dave Garrett
- Re: [TLS] [FORGED] Re: no fallbacks please [was: … Hubert Kario
- Re: [TLS] [FORGED] Re: no fallbacks please [was: … Hubert Kario
- Re: [TLS] [FORGED] Re: no fallbacks please [was: … Nikos Mavrogiannopoulos
- Re: [TLS] no fallbacks please [was: Downgrade pro… Tony Arcieri