IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Brian Smith <brian@briansmith.org> Wed, 15 October 2014 21:13 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B29941ACD96 for <tls@ietfa.amsl.com>; Wed, 15 Oct 2014 14:13:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PXltpjSBAFp1 for <tls@ietfa.amsl.com>; Wed, 15 Oct 2014 14:13:54 -0700 (PDT)
Received: from mail-oi0-f48.google.com (mail-oi0-f48.google.com [209.85.218.48]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D79391ACD8B for <tls@ietf.org>; Wed, 15 Oct 2014 14:13:53 -0700 (PDT)
Received: by mail-oi0-f48.google.com with SMTP id g201so1651218oib.35 for <tls@ietf.org>; Wed, 15 Oct 2014 14:13:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=OHSfZ8QivRgL2B8/nxw1b0jeJqfr0CJs6f1REQQV71s=; b=Kwo++krudovAHsf3Bd9zW8/iBw84JZLae/5hZMpgd8hFhPykgx7ol9GkvjKvixE3L9 aM9RsgGL58ydLjYAcpNcQlVMNYsf+bHy9eymvMGKNhEbttr0icm620fGK7/kwjrvYIlM rAnWgoPorYE/4O1pVIQcXqdO0QIiohITi3+AplIzt8HLVsg79GWWrmFhM+jPTrUCx3EL KHVNKZetGmAjhgqLT3RcpbfbW46ZUFxy77ybMG56lBZ2wB25I839NDUE8skp4ce9aXxn 70wDpUAm1XKdf0HsUzIL8YxYhPn1PZaw59IOQ25I//Stdso8wG4SECt5QmgasV1uA5/P zKMQ==
X-Gm-Message-State: ALoCoQnGK/SCXT+uKaiYwg8mzrdtEb9RF0ur+HEMwPccCPT7Ts7D9ck9NNLUmI3dv6jtOlZHreeH
MIME-Version: 1.0
X-Received: by 10.183.1.7 with SMTP id bc7mr13282626obd.32.1413407633240; Wed, 15 Oct 2014 14:13:53 -0700 (PDT)
Received: by 10.76.93.9 with HTTP; Wed, 15 Oct 2014 14:13:53 -0700 (PDT)
In-Reply-To: <543E9FFA.5030102@redhat.com>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <5438CFEA.7000401@brainhub.org> <543E9435.8000905@redhat.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D39ECE9C9@USMBX1.msg.corp.akamai.com> <543E9C9F.5050104@redhat.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D39ECE9D5@USMBX1.msg.corp.akamai.com> <543E9FFA.5030102@redhat.com>
Date: Wed, 15 Oct 2014 14:13:53 -0700
Message-ID: <CAFewVt4RPUpaF-NLN0=OMdCaxRDqMRk=UrDF_3xU71BtrdPHNA@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Florian Weimer <fweimer@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/dygyDh37uGkLf3OyZdlSXfdBnHw
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Oct 2014 21:13:59 -0000

On Wed, Oct 15, 2014 at 9:25 AM, Florian Weimer <fweimer@redhat.com> wrote:
> I'm concerned that a straightforward implementation of this new SCSV in
> Firefox will introduce user-visible connection failures when the downgrade
> is caused by a (likely spurious) networking event.

First, Mozilla publishes some data regarding non-secure version
fallback at [1]. (The UI is terrible, but there is an option to get
the raw data in tabular form on the right hand side of the page). You
can see the key for that data in the source code at [2].

Anyway, Firefox needs to stop doing the non-secure version fallback in
the case of network failures. The overwhelming majority of TLS 1.2 ->
TLS 1.1 fallbacks in Firefox are due to server closing the connection
during the handshake. Probably in the vast majority of those cases,
the closed connection is not actually indicating version intolerance.
The second most common case of fallback is receiving a RST. Again, the
vast majority of those RSTs are probably not actually caused by
version intolerance. These two conditions make up about 99% of the
reason for fallback in Firefox.

The problem is there are a very small number of servers that DO
indicate intolerance by closing the connection or with a RST. However,
I also agree with the others that say that it doesn't make sense for
browsers to ask every server to implement the downgrade SCSV to be
safe, because browsers don't want to break compatibility with this
tiny minority of old, broken servers.

My understanding is that the Chrome web browser is currently
experimenting in pre-release versions with not doing the non-secure
fallback from TLS 1.0 to SSL 3.0. I think all browsers should extend
that experiment to disabling the non-secure fallback mechanism
completely.

In particular, browsers should disable the non-secure fallback
mechanism completely before TLS 1.3 gets deployed, so that the TLS 1.3
design doesn't become unnecessarily reliant on the non-secure fallback
mechanism for compatibility. Otherwise, we may never be able to remove
it.

Cheers,
Brian

[1] http://telemetry.mozilla.org/#filter=release%2F32%2FSSL_TLS12_INTOLERANCE_REASON_POST
[2] https://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNSSIOLayer.cpp?rev=916f2837201c#1047

v2.23.0 | Report a Bug | By Email