Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego

Michael D'Errico <mike-list@pobox.com> Thu, 12 November 2009 17:31 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5D3333A6ACD for <tls@core3.amsl.com>; Thu, 12 Nov 2009 09:31:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.575
X-Spam-Level:
X-Spam-Status: No, score=-2.575 tagged_above=-999 required=5 tests=[AWL=0.024, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2SC3+zM-jamQ for <tls@core3.amsl.com>; Thu, 12 Nov 2009 09:31:51 -0800 (PST)
Received: from sasl.smtp.pobox.com (a-pb-sasl-quonix.pobox.com [208.72.237.25]) by core3.amsl.com (Postfix) with ESMTP id 5A67F3A6AC2 for <tls@ietf.org>; Thu, 12 Nov 2009 09:31:50 -0800 (PST)
Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id CEE8B7EDAC for <tls@ietf.org>; Thu, 12 Nov 2009 12:32:18 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=pwPVVUJZXBDV UrXZhAMMKbwFRoI=; b=J3f8Cy27MQkdyM3v3JSyWj5OR0jXaju6iWHOwG09YoDR CQJEjvGWzPqwxYY2nf/INl3DpNkaVdAWRxHGn7ewRakZJ5GI7U5rX0GQJfHb/k2l JrlLUxu+Ne5alQ2aro+ia89W4wE0ioN2DE1Al2mhh2/sIFzXGZhIhulxHXsKoEE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=fEhdz6 4aGJ0kChYFpxh0Q8GR+BcNSbfpT2SE3CSHSaqAwQd9zJgfHN6p6E65yRCURlj+nz 2TfQDO4PNVoSPC3rpYmNfx/t4Xps7/XPXttvQkPS1AgOwmYGYbfs9UoSnLcWyfx0 IKPaTr/s2TYXDymVkAijhwouKwJ4jjhG6h6xg=
Received: from a-pb-sasl-quonix. (unknown [127.0.0.1]) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTP id B52617EDAB for <tls@ietf.org>; Thu, 12 Nov 2009 12:32:18 -0500 (EST)
Received: from administrators-macbook-pro.local (unknown [24.234.114.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by a-pb-sasl-quonix.pobox.com (Postfix) with ESMTPSA id 270CD7EDAA for <tls@ietf.org>; Thu, 12 Nov 2009 12:32:17 -0500 (EST)
Message-ID: <4AFC46D8.9050905@pobox.com>
Date: Thu, 12 Nov 2009 09:33:12 -0800
From: Michael D'Errico <mike-list@pobox.com>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: tls@ietf.org
References: <200911092035.nA9KZviE026489@fs4113.wdf.sap.corp> <4AF8EF8F.3090100@jacaranda.org> <4AF8F7B4.7020101@pobox.com> <4AF8FDBD.4080003@jacaranda.org> <4AF9070E.4050305@jacaranda.org> <4AF99E04.3060604@pobox.com> <20091112055910.58D2369EF16@kilo.networkresonance.com>
In-Reply-To: <20091112055910.58D2369EF16@kilo.networkresonance.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Pobox-Relay-ID: 53A31CD6-CFB1-11DE-A875-9F3FEE7EF46B-38729857!a-pb-sasl-quonix.pobox.com
Subject: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2009 17:31:52 -0000

Eric Rescorla wrote:
> At Tue, 10 Nov 2009 09:08:20 -0800,
> Michael D'Errico wrote:
>> A client that wants protection from this attack MUST send the extension
>> in its initial handshake.  Why don't you want to do that?
>>
>> The attack being discussed happens on the client's *initial* handshake.
>> The server sees it as a renegotiation, so the client needs to be able to
>> tell the server that it thinks it is performing an initial handshake.
>> That is exactly what this extension provides.  If you don't send the
>> extension on an initial handshake you are risking being attacked.
> 
> I don't see that that's the case: you're risking being attacked in
> any case if the server is not upgraded.

My point was that if the server *is* upgraded and the client does not
send the extension on its initial handshake, it is taking an unnecessary
risk.  It is relying on the server to not continue with an insecure
renegotiation.  While this is the recommended advice, it might not be
followed for practical reasons (as others have pointed out).  Therefore,
the client has just shot itself in the foot -- it had the knowledge of
how to avoid the attack but didn't use it.

>> All servers SHOULD disable renegotiation to protect clients, but it's
>> been said that this is impractical.  A server may be configured to allow
>> renegotiation even though it understands the new extension.  Thus by not
>> sending the extension in your initial handshake, you are just as
>> vulnerable, even though you could have prevented an attack.
> 
> I don't really agree with this: servers which allow renegotiation without
> this extension are unwise.

Right, but it will take a (long?) while before everybody can behave
according to the recommendations.

Mike