Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 24 October 2014 14:54 UTC
Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4FA41A0B00 for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 07:54:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a_zgep1yDjee for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 07:54:22 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id 706A51A0AF1 for <tls@ietf.org>; Fri, 24 Oct 2014 07:54:22 -0700 (PDT)
Received: from [10.70.10.51] (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 4019CF984 for <tls@ietf.org>; Fri, 24 Oct 2014 10:54:18 -0400 (EDT)
Message-ID: <544A680F.4080307@fifthhorseman.net>
Date: Fri, 24 Oct 2014 10:54:07 -0400
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Icedove/32.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CAO7N=i3gC=+qcgHU=aMKtRyT7tZV5fm=9gJii-=yOpcNECOEvA@mail.gmail.com> <20141022175238.GF19158@mournblade.imrryr.org> <544837FD.202@cs.tcd.ie> <2A0EFB9C05D0164E98F19BB0AF3708C71D3AF651E4@USMBX1.msg.corp.akamai.com> <5449A667.9040105@cs.tcd.ie> <20141024133728.GI19158@mournblade.imrryr.org> <544A5BB3.4000506@fifthhorseman.net> <20141024141215.GL19158@mournblade.imrryr.org>
In-Reply-To: <20141024141215.GL19158@mournblade.imrryr.org>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="EmiPA6lMJWhTOAiIIJkw0FhCKli0Eqftg"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/mDhaqEllY1ggaIy3MS1WARwNTqU
Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2014 14:54:25 -0000
Hi Victor-- On 10/24/2014 10:12 AM, Viktor Dukhovni wrote: > On Fri, Oct 24, 2014 at 10:01:23AM -0400, Daniel Kahn Gillmor wrote: > >> arguably, there are many such "grossly-misconfigured peers" right now >> with respect to RC4 (usually because of misguided attempts to protect >> against BEAST, aiui). These are servers that support something other >> than RC4, but select RC4 if a client offers it (even if it was the >> client's lowest priority). > > [ Note I was responding to Stephen's side note about opportunistic > security, we're no longer discussing the language of the draft. ] yes, agreed. thanks for making this explicit. > Indeed if RC4 were always selected for spurious reasons, then one > might be wise to disable it. We're not there yet, so in practice > opportunistic applications will not immediately change to adhere > to the draft. Yep, i understand. We're not at "always" yet, though some systems (MTAs as well as HTTP servers, iiuc) are indeed selecting RC4 for spurious reasons. >> So the safest OS approach in the context of a strongly-deprecated cipher >> $WEAK_CIPHER, for a client that is willing to ultimately fall back to >> cleartext would be, for any given peer P: >> >> * connect to P and offer TLS without $WEAK_CIPHER >> * if that fails with "no cipher overlap", then: >> * reconnect to P and offer TLS with $WEAK_CIPHER >> * if that fails for any reason, then: >> * reconnect to P with cleartext. > > That's too much code. MTAs are not browsers, there are no complex > multi-pass attempts to establish TLS. TLS either happens or does > not. If the handshake fails, some will retry in cleartext, others > will skip to the next MX host or defer the mail. > > With MTAs the remote end often has connection rate limits, and may > lower the "reputation" of clients that frequently disconnect without > completing a delivery. > >> This could probably be further improved by remembering which level of >> fallback succeeded on previous attempts, and refusing to fallback further. > > Sorry, MTAs don't maintain SQLite databases with peer history. > There is no interactive user to override stale pinned information. In the paragraphs above, you seem to be claiming both of: (a) MTAs keep state about their peers, so we can't do retries, and (b) MTAs don't keep state about their peers, so they can't remember what they've tried My understanding as an MTA operator, is that MTAs *do* keep state about their peers, and have (sometimes complex) logic about delivery choices, including on a per-destination or per-peer basis. Whether that state is an an SQLite database or not, i don't really care. I agree that it's all "too much code", and i'd love to have a nice simple clean TLS-only (and good-ciphers-only) MTA that has no fallback logic. But that's not going to cut it if we want to interop in today's world, and if we prioritize delivery over confidentiality and integrity (which i understand is the traditional prioritization for MTA operators, and i do it myself). I also understand that suggesting this behavior without a patch can be frustrating to MTA developers -- i'm sorry that i don't have time to produce such a patch for Postfix now. But that doesn't mean that the proposed logic isn't ultimately a sensible approach to try to advance confidentiality and integrity goals without harming deliverability. If we take the fallback approaches described above, and each fallback incurs a small delay, to avoid the peer reputation rejection scenarios, then mail being delivered to RC4-only peers would be minorly delayed upon first delivery, and mail being delivered to cleartext-only peers would be doubly delayed for first delivery. You could also build in a decay of recorded peer state, so that messages would continue to retry with the best-known level of security for a given peer, but would eventually fall-back to weaker fallbacks before discarding the messages as non-deliverable. In the event of a mail server that somehow loses better-than-RC4 ciphers or regresses to non-STARTTLS entirely, messages to that mailserver would be delayed but not lost. (this has the nice property "if you want your users to get their mail faster, you should ensure that your MTA offers stronger security", thereby tying together usability and security) Perhaps this discussion might be better continued on UTA, sorry if it's OT here. > Browser analogies and strategies work poorly or not at all when > misapplied to SMTP. I wrote the entire original message thinking specifically about SMTP, fwiw. Thanks for your work on opportunistic security, both here in the IETF and on Postfix itself, Victor. It's exciting to see someone leading the way forward with this. Regards, --dkg
- [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-… internet-drafts
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Martin Rex
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Alyssa Rowan
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Hanno Böck
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Bodo Moeller
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Bodo Moeller
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Alyssa Rowan
- [TLS] adopting ChaCha20 as a WG item was: I-D Act… Nikos Mavrogiannopoulos
- Re: [TLS] adopting ChaCha20 as a WG item was: I-D… Yoav Nir
- Re: [TLS] adopting ChaCha20 as a WG item was: I-D… Nikos Mavrogiannopoulos
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Bodo Moeller
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Alyssa Rowan
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Andrei Popov
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Martin Rex
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Bodo Moeller
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Alyssa Rowan
- Re: [TLS] adopting ChaCha20 as a WG item was: I-D… Yoav Nir
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Geoffrey Keating
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Watson Ladd
- [TLS] why Chacha20-SHA1 was: adopting ChaCha20 as… Nikos Mavrogiannopoulos
- Re: [TLS] why Chacha20-SHA1 was: adopting ChaCha2… Joachim Strömbergson
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Yoav Nir
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Hubert Kario
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Hubert Kario
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Peter Gutmann
- Re: [TLS] why Chacha20-SHA1 was: adopting ChaCha2… Brian Smith
- Re: [TLS] why Chacha20-SHA1 was: adopting ChaCha2… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… James Cloos
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Paul Lambert
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Ryan Carboni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Stephen Farrell
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Carl S. Gutekunst
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… James Cloos
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Andrei Popov
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Martin Rex
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Yoav Nir
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Hubert Kario
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Martin Rex
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Ralph Holz
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Ronald del Rosario
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Chris Newman
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Joseph Salowey
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Andrei Popov
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Watson Ladd
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Andrei Popov
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Alyssa Rowan
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Yoav Nir
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Ryan Carboni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Ryan Carboni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Stephen Farrell
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Paterson, Kenny
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Hubert Kario
- [TLS] Fw: I-D Action: draft-ietf-tls-prohibiting-… Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Stephen Checkoway
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Stephen Farrell
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Salz, Rich
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Stephen Farrell
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Daniel Kahn Gillmor
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Geoffrey Keating
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Viktor Dukhovni
- Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-… Blumenthal, Uri - 0558 - MITLL