Re: [TLS] An SCSV to stop TLS fallback.

Adam Langley <> Tue, 26 November 2013 17:39 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3D0E21ADF4F for <>; Tue, 26 Nov 2013 09:39:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.38
X-Spam-Status: No, score=-1.38 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id COvF4zQCeFjT for <>; Tue, 26 Nov 2013 09:39:08 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400c:c01::22d]) by (Postfix) with ESMTP id 241931ADE85 for <>; Tue, 26 Nov 2013 09:39:08 -0800 (PST)
Received: by with SMTP id oz11so4175918veb.4 for <>; Tue, 26 Nov 2013 09:39:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=OsG/ujJ6YtB4Zx996wzCvWUoUqIA4wxRkq+4LJ3coIc=; b=FTVEYig+YzgwshsTCIFYdvnF00epb6c+UM5VY/BHyNIRJ1C5ep/+9+xOIFhgLcxOVD 6nxlbMvFq4v9K4TDfePA2g+zkbUpbDFlboA8mHTrbjiOciltdQiZ7uP9E2MsZY0HfK+3 Z0bAE5nTHB3Og6bFv2k0GVpFFSfp9nPxTjqKoRyULJKOwIoz/1mw38uqartGvmqrO/Fi 9fDFIwMnrrPSuhn8kR04eKVKQ+0Dlhz3d0d+bwcYWaoVKn1A4nLYkGiyUHIuXPDL0l8Z WJ5a+jUXO8SDasSt/CdQyUPYau2cj2BYFiX1udvyRnvnwx0AKIam6sSj/wQvaLfXW+it 1WXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=OsG/ujJ6YtB4Zx996wzCvWUoUqIA4wxRkq+4LJ3coIc=; b=YYmbkeSVuyOYld+tao71+04XuiRns4H0y6rmtwpEiGjokhCli34PfzUwy6T6TAjafo /gnFJan2ijA9I+sdl7ZKoW0ExToFdC3zeguQCrkmdYLW8FopB6LTd4hUbc3xuzF61D5a lTk41p9iAlWwTjlEkUy3Q8xtRUMhVt8JmRQfUDVC8A85xDlPl/+qAMvAIH3O3tigs4Rd 4njb1Rl87Zh2EIXIriNGH/ShMK/XWvp5K67RbYwp7dv47UX3zJHddonmZRs+hdgkhRd8 cqCMiZUqfXzuxHXCMtGE01trP8cm/+gPQEJCTPM8AYLsGKdcKNceNet5sD/BS+vo8SR9 VssQ==
X-Gm-Message-State: ALoCoQn9A3OdURsj41cfm89l0aGsPqXEIaCA8z7AgkF+OKAi6lMta1fSt9EhyzHnIEzwSBC0yvxtRI1GYXFO++05QKDNtiZjgJXTh0Gt80qt/h1ybaNpTisMmUn6KhQKs84Gpx0YXAoCEsSGHZB0I7FQ+VqlOxMFAE01Dr9u1H1elOoQotaazQNhyeHyzqZI8ywO1KkzCJil
X-Received: by with SMTP id a11mr6234509vcz.26.1385487547830; Tue, 26 Nov 2013 09:39:07 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Tue, 26 Nov 2013 09:38:47 -0800 (PST)
In-Reply-To: <>
References: <> <>
From: Adam Langley <>
Date: Tue, 26 Nov 2013 12:38:47 -0500
Message-ID: <>
To: Trevor Perrin <>
Content-Type: text/plain; charset=UTF-8
Cc: "" <>
Subject: Re: [TLS] An SCSV to stop TLS fallback.
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 26 Nov 2013 17:39:09 -0000

On Mon, Nov 25, 2013 at 9:33 PM, Trevor Perrin <> wrote:
> Are these MITM products using special root certs installed in the
> browser for MITM purposes?


> If so, could the browser simply allow
> SSLv3 fallback only when connecting to a cert under such an installed
> root, while otherwise rejecting such a fallback?

Yes, but I don't believe that would be viable on the Internet as a
whole. There are certainly many HTTPS servers on the Internet that
need fallback in order to function. We would like not to break them
while stopping them dragging everyone's security down. So we still
need some way to identify non-broken servers. At the moment we're
doing that with an "if (is_google)", but that's just an experiment. We
would need an SCSV or the existing renego signal to deploy this
properly in any case, although a root check would fix the current