IETF Logo Mail Archive

Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv

Yoav Nir <ynir@checkpoint.com> Tue, 28 January 2014 15:57 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF1BB1A03B6 for <tls@ietfa.amsl.com>; Tue, 28 Jan 2014 07:57:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.436
X-Spam-Level:
X-Spam-Status: No, score=-7.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sDp9eaFpnuIu for <tls@ietfa.amsl.com>; Tue, 28 Jan 2014 07:57:43 -0800 (PST)
Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 0AEDF1A0227 for <tls@ietf.org>; Tue, 28 Jan 2014 07:57:41 -0800 (PST)
Received: from IL-EX10.ad.checkpoint.com ([194.29.34.147]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id s0SFvaGD005079; Tue, 28 Jan 2014 17:57:37 +0200
X-CheckPoint: {52E7CD05-10-1B221DC2-1FFFF}
Received: from DAG-EX10.ad.checkpoint.com ([169.254.3.110]) by IL-EX10.ad.checkpoint.com ([169.254.2.228]) with mapi id 14.03.0123.003; Tue, 28 Jan 2014 17:57:37 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Thread-Topic: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv
Thread-Index: AQHPGCLa7p3uMjOdpEO8c0/oGRcyYJqYtuSAgAAk7YCAAE8UgIAADSUAgAANVACAAOe5AIAABF4A
Date: Tue, 28 Jan 2014 15:57:36 +0000
Message-ID: <ED6ED7E4-3E0C-41B9-A8B3-16C676BCAFAD@checkpoint.com>
References: <CADMpkcJ4viFwzU9u0uP41Niaopja8PZFowjOALVr3VA1vJ7Uow@mail.gmail.com> <20140128001737.D9D581ABC9@ld9781.wdf.sap.corp> <828b043cac0f4b62875d00f31d2f92e3@BL2PR03MB419.namprd03.prod.outlook.com>, <CAL9PXLxDWUMUq5rJXCHYaFRqX6rYfczN8gJaBRJa=pbkH4YWSA@mail.gmail.com> <a840133f75d0426898462ccef739861f@BL2PR03MB419.namprd03.prod.outlook.com>
In-Reply-To: <a840133f75d0426898462ccef739861f@BL2PR03MB419.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.20.176]
x-kse-antivirus-interceptor-info: protection disabled
Content-Type: text/plain; charset="us-ascii"
Content-ID: <62D80102C10DE14EAF9066675E2B0977@ad.checkpoint.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2014 15:57:48 -0000

Well, suppose a client implements a three-stage fallback: TLS1.2-with-extensions--->TLS1.0-with-extensions--->SSLv3.

Suppose TLS1.2-with-extensions got a RST. The client is now trying TLS1.0-with-extensions. If it gets an alert, it will know that it needs to stop. If it gets another RST, it will proceed to try SSLv3, and that's a bad thing, because it should have stopped at TLS 1.0.

I don't think it matters much, because if an attacker can cause a TLS 1.2 session to fail, it can do the same to a TLS 1.0 session. So an attacker can always force the sides to the lowest common denominator. The best this extension can do is to make sure that when they finally do talk to each other at the lowest common denominator, that they recognize that the interference had happened. As long as they don't go below SSLv3, they will know that with the SCSV, regardless of whether the server resets or sends an appropriate alert.

Yoav

On Jan 28, 2014, at 5:41 PM, Andrei Popov <Andrei.Popov@microsoft.com>
 wrote:

> Yes, this makes sense, and the other fatal TLS alerts are defined for similar reasons. Because of Martin's comment, I thought I might be overlooking a security issue with not sending inappropriate_fallback.
> 
> Thanks,
> 
> Andrei
> 
> ________________________________________
> From: Adam Langley <agl@google.com>
> Sent: Monday, January 27, 2014 5:52 PM
> To: Andrei Popov
> Cc: mrex@sap.com; Bodo Moeller; tls@ietf.org
> Subject: Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv
> 
> On Mon, Jan 27, 2014 at 8:04 PM, Andrei Popov
> <Andrei.Popov@microsoft.com> wrote:
>> For my understanding: why is this proposal vitally dependent on the server sending inappropriate_fallback alert? If the server receives the SCSV, has a higher protocol version enabled than that in the ClientHello, and quietly aborts the handshake, isn't the downgrade attack thwarted?
> 
> Yes, just closing the connection is good enough for security. The
> advantage of returning the fatal alert is that a) it stops the
> fallback process faster and b) the client can report the error that
> caused the original connection to fail, rather than that the final
> fallback hit connection closed.
> 
> 
> Cheers
> 
> AGL
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> 
> Email secured by Check Point

v2.23.0 | Report a Bug | By Email