Re: [TLS] RFC 7919 on Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)

[Ilari Liusvaara <ilariliusvaara@welho.com>]

On Sat, Aug 27, 2016 at 01:27:15PM +0000, Peter Gutmann wrote:
> David Benjamin <davidben@chromium.org> writes:
> 
> >TLS 1.3 will resolve this with the new cipher suite negotiation, but I agree
> >this makes the specification basically undeployable with TLS 1.2. This issue
> >also got brought up here:
> >https://www.ietf.org/mail-archive/web/tls/current/msg18697.html
> 
> Hmm, good point.  So reading between the lines of the various comments on this
> issue, the feeling seems to be "ignore this RFC".  That more or less answers
> my question, I'll leave it out of TLS-LTS apart from mentioning it as another
> source of DH groups.

The bad thing about allowing server to specify arbitrary group is that
the group can be such that the client does not like it. E.g.

- Too short modulus
- Bad modulus
- Used subgroup not big enough.

The first one is essentially what kills the DH in TLS 1.2.
 
> >Barring unforeseen problems, Chrome will also lose DH in the next release.
> 
> Which will be yet another headache for people working with SCADA devices, who
> are seeing themselves locked out more and more from being able to admin their
> systems when browser vendors arbitrarily decide to deprecate long-established
> mechanisms. 

It is not "arbitrarily". Thinking back, every TLS-related deprecation I
am aware of is because at least one of:

- The mechanism is known to have serious security issues.
- The mechanism causes serious usability issues.
- Virtually nobody uses it (and any use is probably due to misconfig).

And with browsers, deprecating stuff takes way more time than it should
because of "compatiblity".

Most of this is because of bad design. Back in 2002 we would have had
all the technology necressary to design stuff that would still be
standing 14 years later in 2016, with no hint of breaking in near
future. Sure, it would be relatively slow, but that's no security
issue.

TLS is full of bad decisions (many inherited from SSL v3) that are
still haunting us, and it takes pretty much radical redesign (a.k.a.
TLS 1.3) to fix it.

> Couldn't Chrome include an optional legacy mode that just works with existing
> systems, perhaps triggered by access to a device at an RFC 1918 address?
> There really is, in some cases, nothing available any more that will talk to
> entire families of SCADA devices because browsers assume the only thing that
> matters is the public WWW and won't accommodate anything that isn't.

Even supporting systems like that is serious security issue. Basically
if one even supports weak crypto, there usually are ways to enable it
when it should not be enabled, totally compromising security.

Whitness the multitude of attacks against TLS that exploit support
for weak crypto or bad protocol versions. Even if "disabled".

> (At some point someone's going to figure out they can make a lot of money by
> taking Firefox 3.0, rebranding it, and selling it as an embedded device
> management solution, because it'll talk to all the things that current
> browsers won't any more).

Well, I'm not aware of anything stopping anyone from doing that...


-Ilari