Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard

Yoav Nir <ynir.ietf@gmail.com> Sat, 17 January 2015 07:55 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF30B1AC39B; Fri, 16 Jan 2015 23:55:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.3
X-Spam-Level:
X-Spam-Status: No, score=0.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MANGLED_BACK=2.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pcbPkWMdg0G1; Fri, 16 Jan 2015 23:55:42 -0800 (PST)
Received: from mail-wi0-x22d.google.com (mail-wi0-x22d.google.com [IPv6:2a00:1450:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82C841ACE79; Fri, 16 Jan 2015 23:55:42 -0800 (PST)
Received: by mail-wi0-f173.google.com with SMTP id r20so6577488wiv.0; Fri, 16 Jan 2015 23:55:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=kjXFoq5LjhQMOV/IdFd9L0WEkmgwCH5QlPyGEB/E04c=; b=gnR42z4xHlqfKrl7/7TeGdjbbXCQIupl4p+FT91qlATfIATqvWXSh3G/wi1u4wWFZE FtHr4J6nGpVbeedFthQg2g3Agr1l366okburH/VDZBSNTxYdpFgZii9oxoGUkU9Wiag1 xY29cTbuJsC90S9MEherS9vDDBUAkcFiUbfcpKAqJLv0Qb7lHpD0gyFrmbsyE3Ks/c3s 1ypJyJIBE9fuNRTdZpjkSIFhQFJa2TanyGuhRyNNOljYP9+SA45eoQHmsOdGXA030lWR AhdrTN0S5i3DKcPAmlkGEuZVYx3mYARZmq+z50+5aqFqF++1hgTt3CWjdELfb9Xpmi7M +nFw==
X-Received: by 10.194.91.145 with SMTP id ce17mr37204486wjb.132.1421481341253; Fri, 16 Jan 2015 23:55:41 -0800 (PST)
Received: from [192.168.1.15] ([46.120.13.132]) by mx.google.com with ESMTPSA id fg9sm5812502wib.9.2015.01.16.23.55.39 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 16 Jan 2015 23:55:40 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <CAH8yC8k+H0P=R4nRMnf+G=B4wTjPmvGGeBvPwfiozauk+-ZxAw@mail.gmail.com>
Date: Sat, 17 Jan 2015 09:55:37 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <39E90B1F-13A3-4BD5-8C97-12989009E0B8@gmail.com>
References: <20150109180539.22231.7270.idtracker@ietfa.amsl.com> <20150116210327.61046788@pc> <CADMpkcKkdhiEpJSUzsk-rEtCLhYgfMSzcFAwtVzYb96EK2hhZQ@mail.gmail.com> <CAH8yC8k+H0P=R4nRMnf+G=B4wTjPmvGGeBvPwfiozauk+-ZxAw@mail.gmail.com>
To: noloader@gmail.com
X-Mailer: Apple Mail (2.1993)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/fUDuVmfotPxdQptviZB101ECnW8>
Cc: ietf@ietf.org, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Jan 2015 07:55:44 -0000

> On Jan 17, 2015, at 7:07 AM, Jeffrey Walton <noloader@gmail.com> wrote:
> 
> On Fri, Jan 16, 2015 at 4:04 PM, Bodo Moeller <bmoeller@acm.org> wrote:
>> Hanno Böck <hanno@hboeck.de>:
>> 
>>> I think this adds further evidence that adding another workaround layer
>>> (SCSV) is the wrong thing to do. Instead browsers should just stop
>>> doing weird things with protocols that compromise security and drop
>>> the protocol dance completely.
>> 
>> Also, quite clearly, we can't yet know how the TLS 1.3 (1.4, 1.5, ...)
>> rollout will work out.
>> 
> The WG should be solving problems that do exist; and not manufactured
> problems or theoretical future problems that don't exist.

They’re not theoretical. Servers that do not tolerate (0x03,0x04) in ClientHello exist *now*. Surprisingly, some of those do support TLS 1.2 and Renegotiation Info. Unless those are all gone by the time browsers roll out TLS 1.3, there will be a problem to solve.

Yoav