IETF Logo Mail Archive

Re: [TLS] Prohibiting SSL 3.0

Bodo Moeller <bmoeller@acm.org> Fri, 31 October 2014 13:15 UTC

Return-Path: <SRS0=EU1W=7W=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE3291A0029 for <tls@ietfa.amsl.com>; Fri, 31 Oct 2014 06:15:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.762
X-Spam-Level: *
X-Spam-Status: No, score=1.762 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cvV-HjWdTeuW for <tls@ietfa.amsl.com>; Fri, 31 Oct 2014 06:15:38 -0700 (PDT)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D16F21A001B for <tls@ietf.org>; Fri, 31 Oct 2014 06:15:37 -0700 (PDT)
Received: from mail-yh0-f54.google.com (mail-yh0-f54.google.com [209.85.213.54]) by mrelayeu.kundenserver.de (node=mreue101) with ESMTP (Nemesis) id 0MQNoq-1XenAx15tE-00TjfR; Fri, 31 Oct 2014 14:15:35 +0100
Received: by mail-yh0-f54.google.com with SMTP id 29so2852974yhl.41 for <tls@ietf.org>; Fri, 31 Oct 2014 06:15:33 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.236.220.97 with SMTP id n91mr13664338yhp.127.1414761333992; Fri, 31 Oct 2014 06:15:33 -0700 (PDT)
Received: by 10.170.99.4 with HTTP; Fri, 31 Oct 2014 06:15:33 -0700 (PDT)
In-Reply-To: <CACsn0cn0CFxt-tnnkTr8OF41uLxx8SGTNM8yK90SUiJDPgcN_Q@mail.gmail.com>
References: <BLU177-W4981235CC3AA2325B8CC01C39F0@phx.gbl> <20141031010310.2F9631AF6E@ld9781.wdf.sap.corp> <CACsn0cn0CFxt-tnnkTr8OF41uLxx8SGTNM8yK90SUiJDPgcN_Q@mail.gmail.com>
Date: Fri, 31 Oct 2014 14:15:33 +0100
Message-ID: <CADMpkc+sBA8X4XodX2S_S4jTkpixzJfQ82UKUQyF-_fHG5Vqrg@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c23220c134ea0506b7ca05"
X-Provags-ID: V02:K0:m083EAHGWG7opn68KnbpufmErIuN5E3sotEH77bQkOR UvM0MrWl+t34HI0wX2tBIOwczTo/ylkpWxIHaeIJ9xsCOKzdq2 8yP4qg9T8i25dSVY1J2dS6pVBFb0687venslLdXCgTNhZWQ9nr 4gdjJNTNioTTTsKpwY9N6JaJOoqgPRpQ/s8Z6KtgZ6Wt3No1Ma 7qtuq7uN0G9SSyZONyHGbRffISRAzEzDSMYqhyaATwO1L5rtKl tDEnJAq6A5UZfND+TiXGPfvWj1WRD1yOsBvVYBJx+J+jiMGe+d wf80oThChTfPJ9Rwb7+c+XWp3HCwT2/y3p9TNc7/bhnl13n0/3 6WZdcoXxEhk80KDYFz+mtwNA2GSbSI2BpXXyyKywgMK/n/0xGM j0tkyFMSBRDHQA3qRyepquJOmPZmuNi7qShWi8QPTDtMThgpid Mxr4W
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/k3BvZ1NTVohZDXj-jkoSRzgdC0w
Subject: Re: [TLS] Prohibiting SSL 3.0
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Oct 2014 13:18:30 -0000

Watson Ladd <watsonbladd@gmail.com>:

No, the root of all evil is hiring a biology student for a summer to
> make a security protocol. It's a miracle SSLv3 works at all, showing
> that the Lord protects drunks, fools, and interns.


I don't think that's fair to Paul Kocher; see also
https://www.usenix.org/legacy/publications/library/proceedings/ec96/full_papers/wagner/wagner.pdf
for a protocol analysis done by people that I think don't have a biology
background. (Was Paul an intern or a paid consultant at that time? I
thought the latter [cf.
http://www.informatik.uni-trier.de/~ley/pers/hd/k/Kocher:Paul_C=]. He'd
been a consultant to RSA Data Security before, although the only thing I
seem to remember about his work at that time was that he found not much
wrong with RC4.)

It seems pretty safe to say that Phil Rogaway would have been able to spot
additional problems and improve the SSL 3.0 protocol, but this was years
before there was a systematic understanding of many of the relevant
concepts. Chosen-ciphertext attacks were a thing, but "authenticated
encryption" was unheard of. This was even before
http://web.cs.ucdavis.edu/~rogaway/papers/sym-enc.pdf.

Bodo

v2.23.0 | Report a Bug | By Email