Re: [TLS] PR for anti-downgrade mechanism
Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 09 October 2015 20:38 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D37C31A1B6E for <tls@ietfa.amsl.com>; Fri, 9 Oct 2015 13:38:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.579
X-Spam-Level:
X-Spam-Status: No, score=-1.579 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mz3YMzWMvXTU for <tls@ietfa.amsl.com>; Fri, 9 Oct 2015 13:38:01 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FA8E1A1B6B for <tls@ietf.org>; Fri, 9 Oct 2015 13:38:01 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 3D047284B56; Fri, 9 Oct 2015 20:38:00 +0000 (UTC)
Date: Fri, 09 Oct 2015 20:38:00 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
Cc: tls@ietf.org
Message-ID: <20151009203759.GU15070@mournblade.imrryr.org>
References: <CABcZeBOB9mnQ8bLOCSysnx9LMv0hxrPCA21jTnxAMb3Yom_Aow@mail.gmail.com> <201510091615.54305.davemgarrett@gmail.com> <CABcZeBOtp4VLEcAWjBFoXcWJ6f=6vWyvc-MF82R5Ly_f+JrqVw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABcZeBOtp4VLEcAWjBFoXcWJ6f=6vWyvc-MF82R5Ly_f+JrqVw@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/jmOB_DqcsNCC5J53Q-2uBqNQ_j0>
Subject: Re: [TLS] PR for anti-downgrade mechanism
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Oct 2015 20:38:03 -0000
On Fri, Oct 09, 2015 at 10:23:09PM +0200, Eric Rescorla wrote: > It's largely arbitrary, but the reasoning is as follows. There are > apparently some TLS 1.2 servers which randomly generate the entire server > random (and https://tools.ietf.org/html/draft-mathewson-no-gmtunixtime-00 would > encourage more to do so). The chance of a false positive between such > a server and a TLS 1.3 client is 2^{-32}, which seemed a bit high. Yes, law of large numbers. While any one session is unlikely to fail, the chance of some sessions failing needlessly becomes appreciable, and some of failures may be have high criticality and be latency sensitive. Of course packet corruption undetected by TCP checksums is perhaps more likely, and the client should treat this like as data corruption, rather than a MITM attack, and just reconnect and try again. The problem is that reconnecting is not something the TLS layer can do. And applications might not be instrumented to recover as quickly or as gracefully as they should. Plus, not all use of TLS is over unreliable network transports. TLS is also used over Unix domain sockets, where one does not expect either MITM attacks or data corruption. So even 2^{-48} is perhaps not quite low enough. I still think we're better off fixing serious problems in TLS 1.2 as we find them regardles of whether the server and client happen to also support 1.3. -- Viktor.
- [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Yngve N. Pettersen
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Short, Todd
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Salz, Rich
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Brian Smith
- Re: [TLS] PR for anti-downgrade mechanism Karthikeyan Bhargavan
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Dave Garrett
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Viktor Dukhovni
- Re: [TLS] PR for anti-downgrade mechanism Short, Todd
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism David Benjamin
- Re: [TLS] PR for anti-downgrade mechanism Martin Thomson
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Christian Huitema
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Christian Huitema
- Re: [TLS] PR for anti-downgrade mechanism Eric Rescorla
- Re: [TLS] PR for anti-downgrade mechanism Christian Huitema
- Re: [TLS] PR for anti-downgrade mechanism Colm MacCárthaigh
- Re: [TLS] PR for anti-downgrade mechanism Colm MacCárthaigh
- Re: [TLS] PR for anti-downgrade mechanism Joseph Salowey