Re: [TLS] An SCSV to stop TLS fallback.
Ralf Skyper Kaiser <skyper@thc.org> Sat, 07 December 2013 14:05 UTC
Return-Path: <skyper@thc.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 739A21AE2FF for <tls@ietfa.amsl.com>; Sat, 7 Dec 2013 06:05:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M0rxQaV-D3qY for <tls@ietfa.amsl.com>; Sat, 7 Dec 2013 06:05:46 -0800 (PST)
Received: from mail-ie0-x22c.google.com (mail-ie0-x22c.google.com [IPv6:2607:f8b0:4001:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 2B3AC1AE2C8 for <tls@ietf.org>; Sat, 7 Dec 2013 06:05:46 -0800 (PST)
Received: by mail-ie0-f172.google.com with SMTP id qd12so3355300ieb.17 for <tls@ietf.org>; Sat, 07 Dec 2013 06:05:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thc.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=dOSE7nxbrthCKoUWqj2KuEweGFpzkxZ8pLAo0VG1lik=; b=czywrVRrnjew30qvOZVpyvoRGTlBewkJswTd5BjwDUbWGBZGaOXRpGhqrKQpdnCbab mjJOW8MCXPo7KRLqk1Zc/ScouO9Kreb1kcVsOjX1vxlUHN3mjHJFG4XDjBB3jY+sC9xE Nd9Hkmyt1BjD8baqhrDmXa2xyR7GPHd5ianWg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=dOSE7nxbrthCKoUWqj2KuEweGFpzkxZ8pLAo0VG1lik=; b=Hc1P+qSlsATkN9D8sMwYjVMZFf7VB4HX8GvpNoFh1k/7W8HrbhUo5lZGfYh09g0I6O OJd8OLiLpzR7M2LFdCvFdk5PStvpPhzCN93jKswm4UyGDoIGsTTSGpDkvbn8PXXtY4a0 sDiTf1izYCbdtdd9VoiG6d8XQ02hPyw+SmMrlQZqAjKgYlVZQtGdIws4NpgLD8Y/1q+4 p6cur8C6H1hS82SPTQ0Io7auRRvOBhIjoUnl5LgVNq4xcNhqi3iVFPtzTb5F/h331CAO Aj68KoDt4YdEAtRkCP7SoryPvoxOPzxkFnjkLC5+Yw0kgf4KDK5ftTTZw0JR54xqM6+n Zk4g==
X-Gm-Message-State: ALoCoQloEDfgxM1xetJaDKSBYxbpC/l/3wxLvctuqgdIr0mT+VHA5HZ3iJGrHKK+51AnHwIvKkCC
MIME-Version: 1.0
X-Received: by 10.50.136.201 with SMTP id qc9mr6812978igb.11.1386425141824; Sat, 07 Dec 2013 06:05:41 -0800 (PST)
Received: by 10.64.9.41 with HTTP; Sat, 7 Dec 2013 06:05:41 -0800 (PST)
X-Originating-IP: [87.106.82.87]
In-Reply-To: <52A2FB32.30004@gmail.com>
References: <CAL9PXLzWPY5o2SeV=kUPWxznkw+3cmpbMpYifCebfqd48VW9UA@mail.gmail.com> <CAFewVt42cSELgfiDa2M7OWwBcpEgcqNzHL4oAEjJ_3GJ8TEPrg@mail.gmail.com> <CA+BZK2rbjcx+sT9BU5sjKsuH81N+02xdLD3CmreaGzjRn-ibdA@mail.gmail.com> <52A2FB32.30004@gmail.com>
Date: Sat, 07 Dec 2013 14:05:41 +0000
Message-ID: <CA+BZK2qm75eqW9ZmvEozM_9R2xYJMmov8dyn4qz=ppJ84grrZw@mail.gmail.com>
From: Ralf Skyper Kaiser <skyper@thc.org>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="089e01229ed816732e04ecf2429e"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] An SCSV to stop TLS fallback.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Dec 2013 14:05:48 -0000
Hi Yaron, TLS Version Pinning: I do not have a solution for the cluster situation but I assume that the same problem exists for pinning of the certificate. It should be solved the same way. I think this would solve the fallback issue in an elegant way with a feature that is anyway already coming to the browsers and without protocol modifications. CIPHER-SUITE Pinning: We are already making the judgment call which ciphers are NULL, WEAK and STRONG. If I use 'STRONG' on my first connect I would not like to be downgraded to WEAK even that in general I would like to have weak enabled in my browser for other websites. regards, ralf On Sat, Dec 7, 2013 at 10:40 AM, Yaron Sheffer <yaronf.ietf@gmail.com>wrote: > Hi Ralf, > > I like the idea of pinning the version number, but I don't think it will > work well in clusters without significant tinkering (i.e., protocol > changes): the client connects to cluster member A which has just upgraded > to TLS 1.3 and immediately pins that server to 1.3. Now it connects to > another cluster member which is still on TLS 1.2, and the connection is > reset. > > I don't understand how you could pin "ECDHE" - you would need to define > whether DHE is better or worse than ECDHE, and I don't think we want to > make that judgment call. > > Thanks, > Yaron > > > On 12/07/2013 12:31 AM, Ralf Skyper Kaiser wrote: > >> Hi, >> >> the draft only concerns HTTPS (no other client side implementation >> attempts a reconnect when it receives >> a RST on TLS 1.x [which is bad to start with but apparently necessary]). >> >> A solution that solves some of the mentioned problems without any >> protocol change is >> to pin the TLS version the same way as certificates are pinned. And >> while pinning the TLS >> version it should also be considered to pin the cipher suite ("Use this >> cipher suite or >> a better one"). >> >> After first connect the client will not allow any lesser security (TLS >> 1.3, ECDHE, ..) than the one >> used on last connect. >> >> regards, >> >> ralf >> >> >> On Wed, Nov 27, 2013 at 1:42 AM, Brian Smith <brian@briansmith.org >> <mailto:brian@briansmith.org>> wrote: >> >> On Mon, Nov 25, 2013 at 3:27 PM, Adam Langley <agl@google.com >> <mailto:agl@google.com>> wrote: >> > In the event that a client is making a fallback connection, it >> > includes TLS_FALLBACK_SCSV (0x5600) in the list of cipher suites. A >> > current server which sees this cipher suite in a ClientHello SHOULD >> > return a fatal alert, inappropriate_fallback (86) and abort the >> > connection. >> >> Adam, I think what you propose makes sense. However, I think it might >> not be ideal if there are any circumstances where the browser could >> accidentally fall back to a lower version--e.g. falling back after a >> timeout or falling back in response to the connection being reset. >> AFAICT, we currently have to do fallback from TLS 1.2 -> TLS 1.1 and >> from TLS 1.1 -> TLS 1.0 in response to connection resets. There will >> be some false positives here. In addition to potentially reducing the >> security of the connection, these fallback connections add a lot of >> latency. If we attempt a fallback connection in response to a >> connection reset, and we receive an inappropriate_fallback alert, then >> we'd have to make yet *another* connection without the fallback. All >> other things being equal, it would be better if the server could >> respond respond exactly as it would with a TLS 1.2 ClientHello, >> without downgrading the cipher suite or any other feature, more like >> what Martin Rex suggested. >> >> However, I don't think it is realistic to backport features all the >> way to SSL 3.0. The information in the TLS extensions is too >> important, and trying to define good defaults for missing extensions >> that make sense long-term seems like it will just bind our hands too >> much in the future. >> >> So, we should could consider backporting TLS 1.2 cipher suites to TLS >> 1.1 and TLS 1.0, but then using your suggested inappropriate_fallback >> for for SSL 3.0 handshakes only. >> >> Whether this complication is justified depends on how frequently we >> receive false-positive connection resets (and anything else that can >> be a false positive) and how much we care about optimizing performance >> for that case. >> >> Cheers, >> Brian >> -- >> Mozilla Networking/Crypto/Security (Necko/NSS/PSM) >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org <mailto:TLS@ietf.org> >> https://www.ietf.org/mailman/listinfo/tls >> >> >> >> >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> >> _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Andy Wilson
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Trevor Perrin
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Trevor Perrin
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Brian Smith
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Jack Lloyd
- Re: [TLS] An SCSV to stop TLS fallback. Manger, James H
- Re: [TLS] An SCSV to stop TLS fallback. Wan-Teh Chang
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Wan-Teh Chang
- Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Marsh Ray
- Re: [TLS] An SCSV to stop TLS fallback. Douglas Stebila
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. James Cloos
- Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
- Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Marsh Ray
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
- Re: [TLS] An SCSV to stop TLS fallback. Daniel Kahn Gillmor
- Re: [TLS] An SCSV to stop TLS fallback. Brian Smith
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
- Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
- Re: [TLS] An SCSV to stop TLS fallback. Yaron Sheffer
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Yaron Sheffer
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
- Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
- Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller