IETF Logo Mail Archive

Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3

Bodo Moeller <bmoeller@acm.org> Tue, 19 November 2013 12:21 UTC

Return-Path: <SRS0=DFJz=U4=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 148171ADF59 for <tls@ietfa.amsl.com>; Tue, 19 Nov 2013 04:21:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.454
X-Spam-Level:
X-Spam-Status: No, score=-1.454 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.525, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id swWjzfyfkVsU for <tls@ietfa.amsl.com>; Tue, 19 Nov 2013 04:21:14 -0800 (PST)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.8]) by ietfa.amsl.com (Postfix) with ESMTP id 84AD91ADF4E for <tls@ietf.org>; Tue, 19 Nov 2013 04:21:14 -0800 (PST)
Received: from mail-ob0-f181.google.com (mail-ob0-f181.google.com [209.85.214.181]) by mrelayeu.kundenserver.de (node=mrbap1) with ESMTP (Nemesis) id 0Lp8j6-1VFAAx0ejE-00fQ3F; Tue, 19 Nov 2013 13:21:07 +0100
Received: by mail-ob0-f181.google.com with SMTP id uy5so446326obc.12 for <tls@ietf.org>; Tue, 19 Nov 2013 04:21:05 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=RLUhJZIzFB3ZyDDQe6JhgAxCnGJweYPrd0gxAMSL9OY=; b=LC1rAKoz/dyUrhLx/nLAaHowCwYEHQ6IuNS7iubW9gsgwcU6UtGZCLkZXN+8Xb7OvP yBCi4KtBeHLpPiFKNzTga9HODvxtnRMrDTkZVIEC4fhAHqjhJA66krh0QP3y2B54WEeH UDjGG8O/n+dO/ilUIoc3hdpz+rjH7UXR1AIzffdar83YcXITyf5r9yooxJjssLtYRK3t RwgKEC9jrLgo7OPuKJRYD75iQ6OTwBu04CDshfw5aPvqKaZyHU4QdzouKDE+6nvUEcqw 0IgEGIH9XNyrL8Vw9mD4NKFIbiJAw5Xoy9g5sfqASdhPVa1S1aNpRVSSaTs4xepqDhHC Tpcg==
MIME-Version: 1.0
X-Received: by 10.182.18.102 with SMTP id v6mr134746obd.71.1384863665859; Tue, 19 Nov 2013 04:21:05 -0800 (PST)
Received: by 10.60.137.194 with HTTP; Tue, 19 Nov 2013 04:21:05 -0800 (PST)
In-Reply-To: <CACsn0cmoiQph7mSfTxsKs+O-9iRYAVeHcp73tCuVuCyofi5oMg@mail.gmail.com>
References: <CA+BZK2q_f_JrdkdJRC1MirPH2yzRL2Y_28fi4e2MGdc5Uxnksg@mail.gmail.com> <20131107200815.F24AB1AA69@ld9781.wdf.sap.corp> <CA+BZK2o411meJDkLwnwOudrkr-G_eWeFx0tirLhUCoSnKsddEg@mail.gmail.com> <CACsn0cmoiQph7mSfTxsKs+O-9iRYAVeHcp73tCuVuCyofi5oMg@mail.gmail.com>
Date: Tue, 19 Nov 2013 13:21:05 +0100
Message-ID: <CADMpkcKmpLa3TrF4f_=VachFUU5KZDt1haoRggBjheZo0+sBow@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="001a11c339e6ddb45604eb86b2b1"
X-Provags-ID: V02:K0:YwTyZu6/cSHK7J5aGvMFU93/6ac+El2es1kIGXHBugL naWDMmARkjwC52qTBA5UjIUXqdtn2yCykYmam768vazCrTSNFI W2cvLj2x9KkwQtdcnL273taSM+fUBawe3XiqVGPtB2kL49ewdA 5J0hjcOeHxXAF619Vh447b+5OGNYxY742y/LND/nnt4cOdDVKm RFFu8kaLl624C1P518I6y8rHo5knRq2Eaza8D+fRNwjZo1Yzsb VZHJ1QXKtQtI0tGmhK2YUe6G9PZzSWzeBq12q2gOzYgOQ7al+L PR6U6YSbz65XVnYY/vujiG7XJvTAXvuoSk4kPMt14s1jZ2/CDT erwtnu3NALHBoOhYV/FvtOxAsg/TgzAUj+kOTNtCyk+wMbHzRW PhvMOguWnqQXdU9opDYWmBSLmyDL+mjoNKV/JqtJd7pQOECIKi j+3KA
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2013 12:21:16 -0000

2013/11/8 Watson Ladd <watsonbladd@gmail.com>

 > The downgrade attack to TLS 1.2 is possible and would trigger the SNI to
> be
> > send in clear again.
> > (It requires an active attack).
> Why wasn't this fixed years ago?


This is not an easy question to answer.  (Yes, it certainly *should* have
been fixed years ago.)


> The client should indicate the
> highest offered version when falling back, and the server should
> signal if there is a problem. This was an issue with SSL 3.0 and TLS
> 1.0. It's still an issue today because SSL 3.0 is still out there.


See https://tools.ietf.org/html/draft-bmoeller-tls-downgrade-scsv-00 for a
proposal intended to be particularly simple.

(This is not the first proposal in this spirit; see, e.g.,
http://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-version-cs.txt.
 A recurring complaint is that TLS instead should promote interoperability,
which I think is not a valid complaint: While interoperability should be
better than it is, (1) this doesn't extend to interoperability with
attackers, and (2) it's a false dichotomy --
deploying draft-bmoeller-tls-downgrade-scsv-00 would deal with security
problems that arise as implementations work around interoperability
problems, but that I-D won't get in your way in any way, shape or form if
you do in fact manage to avoid those interoperability problems that
currently are often handled by version downgrades.)

Bodo

v2.23.0 | Report a Bug | By Email