Re: [TLS] Update on TLS 1.3 Middlebox Issues

Ilari Liusvaara <> Sat, 07 October 2017 17:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 978E6134A9F for <>; Sat, 7 Oct 2017 10:28:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TbDnq2D-Pvtd for <>; Sat, 7 Oct 2017 10:28:30 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 48CA3134AA1 for <>; Sat, 7 Oct 2017 10:28:29 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 076C44189C; Sat, 7 Oct 2017 20:28:27 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([IPv6:::ffff:]) by localhost ( [::ffff:]) (amavisd-new, port 10024) with ESMTP id sGi5dhfKqzAt; Sat, 7 Oct 2017 20:28:26 +0300 (EEST)
Received: from LK-Perkele-VII ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 2C12F21C; Sat, 7 Oct 2017 20:28:22 +0300 (EEST)
Date: Sat, 7 Oct 2017 20:28:22 +0300
From: Ilari Liusvaara <>
To: Adam Langley <>
Cc: Hanno =?utf-8?B?QsO2Y2s=?= <>, "" <>
Message-ID: <20171007172822.6plag25tzae6wzi4@LK-Perkele-VII>
References: <> <20171007091720.012fdb7b@pc1> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <>
User-Agent: NeoMutt/20170609 (1.8.3)
Archived-At: <>
Subject: Re: [TLS] Update on TLS 1.3 Middlebox Issues
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 07 Oct 2017 17:28:32 -0000

On Sat, Oct 07, 2017 at 09:38:24AM -0700, Adam Langley wrote:
> On Sat, Oct 7, 2017 at 12:17 AM, Hanno Böck <>; wrote:
> > Alternative proposal:
> >
> > 1. Identify the responsible vendors.
> > 2. Tell all those vendors "You have 1 month to fix this. Fix it. Oh,
> > it's your customers who don't update? Seems you don't have any
> > reasonable update system. Call your customers, send some support staff
> > to them. Fix this. Now."
> > 3. Call for a boycott of the vendors who are not able to fix this.

> We're still testing, but it appears that a few,
> security-inconsequential changes to TLS 1.3 make it significantly more
> viable to deploy. That has got to be preferable to behaviours like
> fallback, which is very security-consequential. This has taken time
> because getting good exposure needs changes to both our frontends and
> to Chrome Stable, which makes the iteration time long. We can iterate
> much faster with local middleboxes (and we've bought several), but the
> diversity of firmware versions and configurations means that we can't
> get great testing coverage from that approach.

Yes, and with local testing, one can't get the relative importances
right, only to guide what to test on field.

And even in field tests, there is issue of survivorship bias. I think
that is the cause for seeming conflicts between the results.

And even if the changes might not be directly consequential to
security, the changes to get through some more annoying middleboxes
might be quite annoying to implement.

E.g. there probably are several different middeboxes that have a
configuration that actually checks that the handshake looks valid,
which includes checks for things like ChangeCipherSpec being
present in both directions, even for resumption; while the non-
resumption mode might even verify the authentication signatures in
the handshake and not letting server send non-handshake messages
before sending its 2nd flight. Ugh, getting around those would be
pretty nasty.