IETF Logo Mail Archive

Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard

Michael Clark <michael@metaparadigm.com> Thu, 22 January 2015 08:52 UTC

Return-Path: <michael@metaparadigm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 578D61A03AB for <tls@ietfa.amsl.com>; Thu, 22 Jan 2015 00:52:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.668
X-Spam-Level:
X-Spam-Status: No, score=-1.668 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 62YEOp-dz4l0 for <tls@ietfa.amsl.com>; Thu, 22 Jan 2015 00:52:31 -0800 (PST)
Received: from tlsx.org (tlsx.org [67.207.128.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41DDC1A0277 for <tls@ietf.org>; Thu, 22 Jan 2015 00:52:31 -0800 (PST)
Received: from monty.local (unknown.maxonline.com.sg [58.182.168.20] (may be forged)) (authenticated bits=0) by tlsx.org (8.14.4/8.14.4/Debian-4) with ESMTP id t0M9EMf4012566 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <tls@ietf.org>; Thu, 22 Jan 2015 09:14:25 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=metaparadigm.com; s=klaatu; t=1421918066; bh=gPqEvxQ5z38uS2+zT+mFU7qp2EsJ9x28d09Phc/D6fw=; h=Date:From:To:Subject:References:In-Reply-To:From; b=HUMhrwMaZiy3zwm1a15ocW5WZdg0MOmlsEliGBfB0bZjI8dBMm+Z/oqybdE+wOeLW 4XKe0MOuEmY7WCM0T1kzoQPkiR8pQmEFe1/vHEd1ASDZdc6m7/7MZ3kEc3xaau0Kwe uw44nOfaY7GsT9eHNJVj7PHm+W82BNYGATTkjF1s=
Message-ID: <54C0BA43.7060304@metaparadigm.com>
Date: Thu, 22 Jan 2015 16:52:19 +0800
From: Michael Clark <michael@metaparadigm.com>
Organization: Metaparadigm
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
References: <40128f312378442fbd26459bf5d7593b@usma1ex-dag1mb2.msg.corp.akamai.com> <, > <20150119192701.190C71B0FF@ld9781.wdf.sap.corp> <, > <CAFewVt6LRafnJN_L=xVeiAxNcpSB+8vPYzquPfjXsduudyj+QQ@mail.gmail.com> <BAY180-W688DE2930CB7F231E60989FF480@phx.gbl> <, <04690E05-4905-4941-A60D-7BC5CDC93431@gmail.com> <>> <BAY180-W1849690A1D8C42F1063DDBFF480@phx.gbl> <39B8BC24-D539-456F-970B-B11665B0E892@gmail.com> <54C0B783.2060604@metaparadigm.com>
In-Reply-To: <54C0B783.2060604@metaparadigm.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.98.4 at klaatu.tlsx.org
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ljYybg3dPlq0KpX5O5zYM7BNRXM>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jan 2015 08:52:32 -0000

On 22/1/15 4:40 pm, Michael Clark wrote:

> = Appendix E.1 should state that servers MUST tolerate higher
>   ClientHello "Message Layer" TLS minor protocol versions rather
>   than recommend it and recommends the lower bound on the record
>   layer TLS minor protocol version. It states:
> 
>   "No single value will
>    guarantee interoperability with all old servers, but this is a
>    complex topic beyond the scope of this document."

This is the salient point. If laxity of the spec introduces an
attack vector then it is within the scope of the spec.

It seems { 3, 1 } should be the new minimum and version upgrade
intolerance should be a bug.

If the 1.6% of servers are fixed (assuming this is validated)
then SCSV and downgraded reconnect attempts in general should be
avoided.

~mc

v2.23.0 | Report a Bug | By Email