Re: [TLS] simplistic renego protection

[Martin Rex <mrex@sap.com>]

Eric Rescorla wrote:
> 
> At Wed, 18 Nov 2009 15:41:31 +0100,
> Simon Josefsson wrote:
> > 
> > <Pasi.Eronen@nokia.com> writes:
> > 
> > > It seems many of the drawbacks of tls-renegotiation-00 you mention 
> > > are in fact addressed (to some degree) in version -01? (mainly
> > > by including the "magic cipher suite") Compared to -01, what do
> > > you think the main differences are?
> > 
> > As far as I can tell, -01 does not fix (*) the problem for
> > clients/servers that uses
> > 
> >    a) a SSLv3 implementation, or
> >    b) a original TLSv1 implementation (e.g., RFC 2246), or
> >    c) a TLSv1.1 implementation without support for extensions.
> > 
> > Providing a solution only for the latest version of TLS is akin to ask
> > people to upgrade to the latest release of a particular software rather
> > than provide a simple fix to the existing deployed software.
> 
> I really don't understand this argument. Extensions are completely
> compatible with TLS 1.0, 1.1, and as has been observed by
> Martin, compatible in principle with SSLv3. Any fix will require
> some changes to people's software. I don't see how that consists
> at all of providing a solution only for the latest version of TLS.


We've been through this a few times.

There are going to be components out there that will not get
patched.  They might not implement renegotiation (or have it
disabled) and they're therefore not even vulnerable.

But we can not simply brick them (deny to talk SSL to them
in the future).

So Browsers will likely have to continue to offer an fallback
to extension-less ClientHello.

As long as Browsers do that, we can not protect them from
a downgrade attack -- unless we change the signaling for the
protected renegotiation into something that is going to be
interoperable with those old, unpatched and some even non-vulnerable
servers that are going to be with us for quite a while.


-Martin