Re: [TLS] An SCSV to stop TLS fallback.

Ralf Skyper Kaiser <skyper@thc.org> Sat, 07 December 2013 14:05 UTC

Return-Path: <skyper@thc.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 739A21AE2FF for <tls@ietfa.amsl.com>; Sat, 7 Dec 2013 06:05:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M0rxQaV-D3qY for <tls@ietfa.amsl.com>; Sat, 7 Dec 2013 06:05:46 -0800 (PST)
Received: from mail-ie0-x22c.google.com (mail-ie0-x22c.google.com [IPv6:2607:f8b0:4001:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 2B3AC1AE2C8 for <tls@ietf.org>; Sat, 7 Dec 2013 06:05:46 -0800 (PST)
Received: by mail-ie0-f172.google.com with SMTP id qd12so3355300ieb.17 for <tls@ietf.org>; Sat, 07 Dec 2013 06:05:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thc.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=dOSE7nxbrthCKoUWqj2KuEweGFpzkxZ8pLAo0VG1lik=; b=czywrVRrnjew30qvOZVpyvoRGTlBewkJswTd5BjwDUbWGBZGaOXRpGhqrKQpdnCbab mjJOW8MCXPo7KRLqk1Zc/ScouO9Kreb1kcVsOjX1vxlUHN3mjHJFG4XDjBB3jY+sC9xE Nd9Hkmyt1BjD8baqhrDmXa2xyR7GPHd5ianWg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=dOSE7nxbrthCKoUWqj2KuEweGFpzkxZ8pLAo0VG1lik=; b=Hc1P+qSlsATkN9D8sMwYjVMZFf7VB4HX8GvpNoFh1k/7W8HrbhUo5lZGfYh09g0I6O OJd8OLiLpzR7M2LFdCvFdk5PStvpPhzCN93jKswm4UyGDoIGsTTSGpDkvbn8PXXtY4a0 sDiTf1izYCbdtdd9VoiG6d8XQ02hPyw+SmMrlQZqAjKgYlVZQtGdIws4NpgLD8Y/1q+4 p6cur8C6H1hS82SPTQ0Io7auRRvOBhIjoUnl5LgVNq4xcNhqi3iVFPtzTb5F/h331CAO Aj68KoDt4YdEAtRkCP7SoryPvoxOPzxkFnjkLC5+Yw0kgf4KDK5ftTTZw0JR54xqM6+n Zk4g==
X-Gm-Message-State: ALoCoQloEDfgxM1xetJaDKSBYxbpC/l/3wxLvctuqgdIr0mT+VHA5HZ3iJGrHKK+51AnHwIvKkCC
MIME-Version: 1.0
X-Received: by 10.50.136.201 with SMTP id qc9mr6812978igb.11.1386425141824; Sat, 07 Dec 2013 06:05:41 -0800 (PST)
Received: by 10.64.9.41 with HTTP; Sat, 7 Dec 2013 06:05:41 -0800 (PST)
X-Originating-IP: [87.106.82.87]
In-Reply-To: <52A2FB32.30004@gmail.com>
References: <CAL9PXLzWPY5o2SeV=kUPWxznkw+3cmpbMpYifCebfqd48VW9UA@mail.gmail.com> <CAFewVt42cSELgfiDa2M7OWwBcpEgcqNzHL4oAEjJ_3GJ8TEPrg@mail.gmail.com> <CA+BZK2rbjcx+sT9BU5sjKsuH81N+02xdLD3CmreaGzjRn-ibdA@mail.gmail.com> <52A2FB32.30004@gmail.com>
Date: Sat, 7 Dec 2013 14:05:41 +0000
Message-ID: <CA+BZK2qm75eqW9ZmvEozM_9R2xYJMmov8dyn4qz=ppJ84grrZw@mail.gmail.com>
From: Ralf Skyper Kaiser <skyper@thc.org>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Content-Type: multipart/alternative; boundary=089e01229ed816732e04ecf2429e
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] An SCSV to stop TLS fallback.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Dec 2013 14:05:48 -0000

Hi Yaron,

TLS Version Pinning:
I do not have a solution for the cluster situation but I assume that the
same problem exists for pinning of the certificate. It should be solved the
same way.

I think this would solve the fallback issue in an elegant way with a
feature that is anyway already coming to the browsers and without protocol
modifications.

CIPHER-SUITE Pinning:
We are already making the judgment call which ciphers are NULL, WEAK and
STRONG. If I use 'STRONG' on my first connect I would not like to be
downgraded to WEAK even that in general I would like to have weak enabled
in my browser for other websites.


regards,

ralf



On Sat, Dec 7, 2013 at 10:40 AM, Yaron Sheffer <yaronf.ietf@gmail.com>wrote;wrote:

> Hi Ralf,
>
> I like the idea of pinning the version number, but I don't think it will
> work well in clusters without significant tinkering (i.e., protocol
> changes): the client connects to cluster member A which has just upgraded
> to TLS 1.3 and immediately pins that server to 1.3. Now it connects to
> another cluster member which is still on TLS 1.2, and the connection is
> reset.
>
> I don't understand how you could pin "ECDHE" - you would need to define
> whether DHE is better or worse than ECDHE, and I don't think we want to
> make that judgment call.
>
> Thanks,
>         Yaron
>
>
> On 12/07/2013 12:31 AM, Ralf Skyper Kaiser wrote:
>
>> Hi,
>>
>> the draft only concerns HTTPS (no other client side implementation
>> attempts a reconnect when it receives
>> a RST on  TLS 1.x [which is bad to start with but apparently necessary]).
>>
>> A solution that solves some of the mentioned problems without any
>> protocol change is
>> to pin the TLS version the same way as certificates are pinned. And
>> while pinning the TLS
>> version it should also be considered to pin the cipher suite ("Use this
>> cipher suite or
>> a better one").
>>
>> After first connect the client will not allow any lesser security (TLS
>> 1.3, ECDHE, ..) than the one
>> used on last connect.
>>
>> regards,
>>
>> ralf
>>
>>
>> On Wed, Nov 27, 2013 at 1:42 AM, Brian Smith <brian@briansmith.org
>> <mailto:brian@briansmith.org>> wrote:
>>
>>     On Mon, Nov 25, 2013 at 3:27 PM, Adam Langley <agl@google.com
>>     <mailto:agl@google.com>> wrote:
>>      >   In the event that a client is making a fallback connection, it
>>      > includes TLS_FALLBACK_SCSV (0x5600) in the list of cipher suites. A
>>      > current server which sees this cipher suite in a ClientHello SHOULD
>>      > return a fatal alert, inappropriate_fallback (86) and abort the
>>      > connection.
>>
>>     Adam, I think what you propose makes sense. However, I think it might
>>     not be ideal if there are any circumstances where the browser could
>>     accidentally fall back to a lower version--e.g. falling back after a
>>     timeout or falling back in response to the connection being reset.
>>     AFAICT, we currently have to do fallback from TLS 1.2 -> TLS 1.1 and
>>     from TLS 1.1 -> TLS 1.0 in response to connection resets. There will
>>     be some false positives here. In addition to potentially reducing the
>>     security of the connection, these fallback connections add a lot of
>>     latency. If we attempt a fallback connection in response to a
>>     connection reset, and we receive an inappropriate_fallback alert, then
>>     we'd have to make yet *another* connection without the fallback. All
>>     other things being equal, it would be better if the server could
>>     respond respond exactly as it would with a TLS 1.2 ClientHello,
>>     without downgrading the cipher suite or any other feature, more like
>>     what Martin Rex suggested.
>>
>>     However, I don't think it is realistic to backport features all the
>>     way to SSL 3.0. The information in the TLS extensions is too
>>     important, and trying to define good defaults for missing extensions
>>     that make sense long-term seems like it will just bind our hands too
>>     much in the future.
>>
>>     So, we should could consider backporting TLS 1.2 cipher suites to TLS
>>     1.1 and TLS 1.0, but then using your suggested inappropriate_fallback
>>     for for SSL 3.0 handshakes only.
>>
>>     Whether this complication is justified depends on how frequently we
>>     receive false-positive connection resets (and anything else that can
>>     be a false positive) and how much we care about optimizing performance
>>     for that case.
>>
>>     Cheers,
>>     Brian
>>     --
>>     Mozilla Networking/Crypto/Security (Necko/NSS/PSM)
>>     _______________________________________________
>>     TLS mailing list
>>     TLS@ietf.org <mailto:TLS@ietf.org>
>>     https://www.ietf.org/mailman/listinfo/tls
>>
>>
>>
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>>  _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>