Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]

David Benjamin <davidben@chromium.org> Thu, 02 June 2016 15:22 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A393912D5A2 for <tls@ietfa.amsl.com>; Thu, 2 Jun 2016 08:22:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.125
X-Spam-Level:
X-Spam-Status: No, score=-4.125 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2TB2ocN1vQ9B for <tls@ietfa.amsl.com>; Thu, 2 Jun 2016 08:22:13 -0700 (PDT)
Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48DBC12D5A9 for <tls@ietf.org>; Thu, 2 Jun 2016 08:22:13 -0700 (PDT)
Received: by mail-io0-x231.google.com with SMTP id k19so35698236ioi.3 for <tls@ietf.org>; Thu, 02 Jun 2016 08:22:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=aVvUoaBDD9t3cgs5lXpCrLp3GrIRtIAnrNcrZMAQdjo=; b=V1uVI/YraPtqiFD5WjIvLrTJv6ItjbjykB816OABWPnrUNGKmcFfuoCZRulcpvOckW R1eDoDdSzjkZmS6GWo8Ko2ifNcJbb/JHX7lL3xmf571c9WbGIKkRg1KduMAIimZzElkd 01U2LcrTMq0cBLQWCw+H3tuILuSF9mkY2AQjE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=aVvUoaBDD9t3cgs5lXpCrLp3GrIRtIAnrNcrZMAQdjo=; b=ezwYEULivHUBcaIv+Gz5Rv2Mt/RBojAgodj/IFUjDTj7QdF7ToXGnrTv2JfbphaeCb aGRSRdZ0CpFvSS19+Xih3dbpaqk6xnFkyfyZbmrwV42ZD3fMzTa0sbEAO8ffNzlxdcke d3gPcdlUIdlV7n4SZwdEk0DKmpf4Vr9cbfglaRh2WwXaKwjxWfUGYY8BS5Scn2d9ZTUG MPhOIgEHun5dW2VKBWDfprpiwhutofmlXGOr8rE5czNSKFPeuJ7AANSH4X+MBx6qDm9f r47eb38Kp9WGSsFD3LhdYQnevxNwjgZm3hyhtxj7GW1EM+uFXlCu38/d8eDMZgVeSUH+ c2fg==
X-Gm-Message-State: ALyK8tLX6znCMNXaG9bWb1Tf4MoUI2JLofM+oUcN8K1cUmawnV6AgArUAqGN5mAIOd1P826OlbACfg9YeeFsheqC
X-Received: by 10.107.9.10 with SMTP id j10mr4294099ioi.97.1464880932509; Thu, 02 Jun 2016 08:22:12 -0700 (PDT)
MIME-Version: 1.0
References: <CAF8qwaDuGyHOu_4kpWN+c+vJKXyERPJu-2xR+nu=sPzG5vZ+ag@mail.gmail.com> <1464852691.5804.1.camel@redhat.com> <DBDC810F-B93F-4294-AB43-87B04DFE88D1@gmail.com> <3713097.ExV049UdFl@pintsize.usersys.redhat.com> <CAF8qwaASpH3Fapo61TDBuF35++GyMbZa4c-9Uy-JZ8CKywpAFw@mail.gmail.com>
In-Reply-To: <CAF8qwaASpH3Fapo61TDBuF35++GyMbZa4c-9Uy-JZ8CKywpAFw@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 02 Jun 2016 15:22:03 +0000
Message-ID: <CAF8qwaA5_A0c9yhpjtReM-HRXLmy9y_2+8E9ey0QCgL4-Ks1TA@mail.gmail.com>
To: Hubert Kario <hkario@redhat.com>, tls@ietf.org
Content-Type: multipart/alternative; boundary=001a113f9b6a9f1cfd05344d2b63
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ogxB4yx_xuh2tM7xc0V9DqAYhBg>
Subject: Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2016 15:22:22 -0000

On Thu, Jun 2, 2016 at 11:07 AM David Benjamin <davidben@chromium.org>;
wrote:

> On Thu, Jun 2, 2016 at 6:43 AM Hubert Kario <hkario@redhat.com>; wrote:
>
>> On Thursday 02 June 2016 11:39:20 Yoav Nir wrote:
>> > > On 2 Jun 2016, at 10:31 AM, Nikos Mavrogiannopoulos
>> > > <nmav@redhat.com>; wrote:>
>> > > On Wed, 2016-06-01 at 15:43 -0700, Eric Rescorla wrote:
>> > >> 2% is actually pretty good, but I agree that we're going to need
>> > >> fallback.
>> > >
>> > > Please not. Lets let these fallbacks die. Not every client is a
>> > > browser. TLS 1.3 must be a protocol which doesn't require hacks to
>> > > operate. CBC was removed, lets do the same for insecure fallbacks.
>> >
>> > Not every client is a browser, but some are. So what does the browser
>> > do when a server resets the connection after seeing the ClientHello?
>> >
>> > Blank screen with a failure message?
>>
>> fallback to check if the connection failure is caused by TLSv1.3, and if
>> it is, display error message and put the blame squarely on the server
>
>
(We already do that, by the way. That's exactly what
ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION in Chrome is.)


> We browser folk hate these fallbacks just enough as much as you do, if not
> more. I personally spent quite a lot of time and effort getting rid of it
> in Chrome (and I'm happy to say, as of Chrome 50, I seem to have
> succeeded). I'm sure my counterparts at Mozilla went through similar pains.
>
> But reality is what it is. The Law of the Internet is the last thing that
> changed is blamed. We have a limited "budget" we can spend breaking things
> (otherwise I'd have removed almost everything by now!) and there is no
> chance I can break all the hosts I found.
>
> I have been reaching out to figure out the broken vendors, but this is a
> slow process. It will not be flushed this out anytime soon. With TLS 1.3 as
> it stands, I think a browser fallback in the short to medium term is a
> certainty. (If your clients don't need it, then by all means don't add one!
> I envy you.)
>
> David
>