[TLS] Downgrade protection, fallbacks, and server time

David Benjamin <davidben@chromium.org> Wed, 01 June 2016 22:29 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id BFAD212D0CE for <tls@ietfa.amsl.com>; Wed, 1 Jun 2016 15:29:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.125
X-Spam-Status: No, score=-4.125 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id vKt5T3TmrOF5 for <tls@ietfa.amsl.com>; Wed, 1 Jun 2016 15:29:17 -0700 (PDT)
Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C21F12D0C7 for <tls@ietf.org>; Wed, 1 Jun 2016 15:29:17 -0700 (PDT)
Received: by mail-io0-x22f.google.com with SMTP id p194so31085773iod.1 for <tls@ietf.org>; Wed, 01 Jun 2016 15:29:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=PRUWT+7HkgtHfVvLqyiWbzlDcZEbjY3W+KkTwzONBpM=; b=d/oA/q6CCgUVFG+QUuLLiaRiQJ8g/Guj+LOlNga/f4C3tqaLfNrAqV4DG5f4ETEqMg rqAv6/BziUmqLEtMlZkfqiKx8ptqtrs+VoNFgVbqZW1mJ3VecBrBC9G9cSZIX7SOXFJ2 exe8+Nwf1Z2G78zNikBxbjirUorxPVPlvWkH4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=PRUWT+7HkgtHfVvLqyiWbzlDcZEbjY3W+KkTwzONBpM=; b=QSPF44aJr8HJjMJefjvxfQvTHaay07hpiuEgAqsZetWPYdwR5qyqU4OtyMIRrKJxVa iapE7ObRe367f5Xz9114N3KKc1NP/JYBuOnh//Au3RubfBSqYjdIE1+OZvmbFwZtcD3A WJI0OOAX4yS6EZd9Wmn3GOjL2pyHlSEG+p7n84zokKi10Tl9u/R3d418DXbpI2PtwYre sTBakRVY9+fWaSRESIBc/j8SWWUkcK2ot11qgpm6qw7Wh854H0aYROeCNdO1dwV4yKdL TP9Tv+xuI8ho9iEBfsk0k0HedO0nMXE2RFonr3qpGLgIq+BfzbM9u1UfX3c+g9O0vqVW sE9A==
X-Gm-Message-State: ALyK8tJ3mTdbNQKTe5ORWJd9PRIDtzd0/ApXZJr4RQ/zKaqEvG0tIrQHsUpgjDndqpS/Z9PESJn8KrAymMiqAFve
X-Received: by with SMTP id w63mr144286ioe.110.1464820156695; Wed, 01 Jun 2016 15:29:16 -0700 (PDT)
MIME-Version: 1.0
From: David Benjamin <davidben@chromium.org>
Date: Wed, 01 Jun 2016 22:29:06 +0000
Message-ID: <CAF8qwaDuGyHOu_4kpWN+c+vJKXyERPJu-2xR+nu=sPzG5vZ+ag@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=001a114467c219c3d205343f058c
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/la87rmkU4Ay0hrhyiddmbjOQRsY>
Subject: [TLS] Downgrade protection, fallbacks, and server time
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jun 2016 22:29:20 -0000

In case folks hoped we could bump the ClientHello version without those
dreaded browser fallbacks, I have bad news. :-( 1.3 intolerance very much
exists. (Maybe we should just give up on ClientHello.version and use an
extension? Extensions have rusted less.)

I picked a large list of top sites and tried connecting to them. Just under
2% of them could handle a TLS 1.2 ClientHello, but not the same ClientHello
with the version switched to 1.3 (no other changes, so I haven't tested a
real 1.3 ClientHello). They're not unknown hosts either. I expect if you
probe any top site list, you'll very quickly find some.

Fortunately, the ServerHello.random trick fixes this. But it currently
clobbers the old server timestamp which tlsdate[1] uses for clock
synchronization. There really should be a less silly secure timestamping
protocol, but, today, tlsdate has users. Any servers which expect to be a
tlsdate target can't honor this MUST without tlsdate gone.

(FALLBACK_SCSV works fine as well, but I gather people prefer the
ServerHello.random one and would be unhappy having to implement both in
clients with a fallback because not all servers do the latter.)

I mentioned this before, but rather than clobbering the first 8 bytes, the
last 8 bytes seems as reasonable and avoids this unnecessary complication
to TLS 1.3 deployment. If folks agree now that the fallback's resurrection
is more certain, I'm happy to put together a PR.


[1] https://github.com/ioerror/tlsdate