IETF Logo Mail Archive

Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv

mrex@sap.com (Martin Rex) Sat, 25 January 2014 06:48 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFEAA1A018B for <tls@ietfa.amsl.com>; Fri, 24 Jan 2014 22:48:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.552
X-Spam-Level:
X-Spam-Status: No, score=-6.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wb2fv1t0vmxc for <tls@ietfa.amsl.com>; Fri, 24 Jan 2014 22:48:39 -0800 (PST)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id EE3421A0168 for <tls@ietf.org>; Fri, 24 Jan 2014 22:48:38 -0800 (PST)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id s0P6mYld025030 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 25 Jan 2014 07:48:34 +0100 (MET)
In-Reply-To: <CACsn0cmHbBD5T5jWLemqu=RjunenEhp5VJ32PGwhinwmDavAsg@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Date: Sat, 25 Jan 2014 07:48:34 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20140125064834.B9E191ABC8@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Jan 2014 06:48:42 -0000

Watson Ladd wrote:
> Martin Rex <mrex@sap.com> wrote:
>>
>> The _only_ reasonable server response of a TLS server that supports TLSv1.2
>> to a ClientHello that contains an SCSV which indicates that the client
>> (a) supports TLSv1.2 and (b) would prefer to use TLSv1.2
>> is a ServerHello with server_version=TLSv1.2.
> 
> Some servers are version intolerant to TLS 1.0. For this reason, and
> not because of middleboxes, version fallback cannot be stopped.

Servers intolerant to TLSv1.0 have become close to non-existant.

Servers intolerant to TLSv1.1 and TLSv1.2, on the other hand,
are too many to ignore.

The fiscal authority of portugal newly commissioned in July 2013 a mandatory
(for Portugal businesses) web service that requires TLS client certs
(issued by the authority) and which will drop the connection when
receiving a TLS ClientHello with TLSv1.1 or TLSv1.2 in it.
Handshake succeeds with TLSv1.0 or SSLv3.


> 
> Some clients only offer SSL 3.0. Until these clients are gone, some
> servers will want to serve them.

No problem.

> 
> Right now these servers have a dilemma: they cannot serve the SSL 3.0
> population without permitting clients offering TLS 1.0 or higher to
> get forced back down to SSL 3.0 by an attacker.  There are real,
> unfixable problems with SSL 3.0, including the lack of an extension
> mechanism.

You can not force down the server, only the client.

SSLv3 has the EXACT SAME extension mechanism as TLS.

  http://tools.ietf.org/html/rfc6101#page-27

It's true that this was retrofitted into the SSLv3 protocol late 1996,
after the initial SSLv3 spec and initial implementations of SSLv3 had
been shipped.  And it's also true that Netscape and the TLS WG failed
badly in making the 18-Nov-1996 SSLv3 spec easily accessible, which
is listed in the references of TLSv1.0 [RFC2246].

  http://tools.ietf.org/html/rfc2246#page-77

Curiously, there are not just old, extensions-intolerant SSLv3 servers,
there are also extensions-intolerant TLSv1.0 servers.


>
> Unfortunately, TLS 1.0, 1.1, and 1.2 rely
> on extensions to indicate which curves are supported. It isn't
> possible to send at ServerHello back after
> seeing a ClientHello with "I tried TLS 1.2, and it didn't work"
> because sending back a ServerHello requires
> information you don't have, like what curves are supported.


You're misled.  It is perfectly possible to send back a TLSv1.2 ServerHello.
If the client doesn't support ECDHE, it will not include any ECC cipher
suites anyway.  The semantics of the presence of TLS cipher suites, but
no accompanying ECC TLS extension is also well-defined in the TLS ECC
spec (rfc4492).


> 
> This proposal solves that problem by letting clients indicate if they
> are dropping down because of fallback or because they cannot offer
> anything better.

This proposal does not solve anything at all.
When Server sends back a ServerHello with server_version=TLSv1.2, then the
client could still decide to abort the handshake if the client so desires.
When the server sends a fatal TLS alert, then interop has completely failed.

Calling a complete interop failure a "solution" is incompatible with
the mission of the IETF.


> 
> Your complaint about signature strength is utterly bogus.

No, it isn't.  That TLSv1.2 breakage would have been easily
avoidable.  And we can still fix it, rather than pretending
that a sha1-with-rsa digital signature would be a reasonable and
secure default choice for a protocol.


>
> Cleartext HTTP doesn't have a little lock in the address bar with a
> green color. Stop pretending that weak crypto is better than no
> crypto:
> as I've pointed out to you, I can train my mother to not put in her
> credit card number without seeing that green lock. I can't train her
> to evaluate connection strength.

When she starts surfing with a HTTP URL, then the little green lock
that onlyappears when she is prompted for her credit card provides
pretty close to zero security.


> 
> Why should the existence of middleboxes permit an active attacker to
> interfere when I visit my bank website from my home computer?
> Why should the fact that some corporate networks want to use TLS
> interception prevent websites from choosing not to permit that sort
> of attack, while still serving the IE6/XP clients? Why should we let
> the lowest common denominator drive the security of all our
> connections, even when better options are supported by both sides?

When better options are supported by both sides, then it is our
task to (a) make these peers interoperate and (b) negotiate&use
at least some of those better protocol features in a fashion that
will not blow up badly in case of spurious internet connectivity failures
or when new TLS software is tested in a few servers of a NATed
server farm.


Fatally aborting the handshake is the far opposite of a successful
negotiation.


-Martin

v2.23.0 | Report a Bug | By Email