[TLS] Way to go everybody! TLS FTW!
Marsh Ray <marsh@extendedsubset.com> Tue, 10 August 2010 18:35 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C1B373A68B1 for <tls@core3.amsl.com>; Tue, 10 Aug 2010 11:35:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.699
X-Spam-Level:
X-Spam-Status: No, score=-0.699 tagged_above=-999 required=5 tests=[AWL=-0.700, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L1aL8TMnCrEW for <tls@core3.amsl.com>; Tue, 10 Aug 2010 11:35:45 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 37BB33A6AB1 for <tls@ietf.org>; Tue, 10 Aug 2010 11:35:22 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1Oitfz-000LVg-E4 for tls@ietf.org; Tue, 10 Aug 2010 18:35:51 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 61D946087 for <tls@ietf.org>; Tue, 10 Aug 2010 18:35:49 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX1+HkZhSnp6lEdI8Vun7ZdheL2DuHpHZMKI=
Message-ID: <4C619C03.3060809@extendedsubset.com>
Date: Tue, 10 Aug 2010 13:35:47 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.11) Gecko/20100713 Thunderbird/3.0.6
MIME-Version: 1.0
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [TLS] Way to go everybody! TLS FTW!
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Aug 2010 18:35:47 -0000
Today, this "Patch Tuesday", Microsoft releases KB980436 which adds support for RFC 5746 the Renegotiation Indication Extension http://www.microsoft.com/technet/security/bulletin/ms10-049.mspx This is a major accomplishment, Microsoft clearly has as many affected products and systems as anybody. Although they may be bringing up the rear among the vendors, the rear has clearly been brought up. In less than one year (10 months since public disclosure), we've taken an exceptionally thorny protocol security bug and helped and encouraged the great majority of the industry to quickly deploy a fix. To put this in perspective, I'll be talking on Thurs (Usenix Security 10) about another protocol (NTLM/MSCHAP v1,2) which has been subject to a known credentials forwarding attack for about the last 16 years without a proper fix! Alice connects to wifi in coffeehouse, Bob gets into VPN. It's that bad. This list was especially active back in Nov-Dec when the public discussion began. Lots of us put in extra effort discussing every detail to death making sure the IETF-endorsed solution would close the security hole, preserve the needed functionality, and cause minimal disruption during deployment. The only work remaining in this mitigation is to not let everyone forget to eventually migrate to strict rather than compatible mode. There was more than one person (mostly not on this list) who said it couldn't be done, yet it was. Certainly there there will be systems which do not deploy the fix, but such unmaintained systems become less relevant over time and are probably vulnerable through many other vectors already. I think everyone on this list deserves a pat on the back (I would buy the next round if I could :-). - Marsh
- [TLS] Way to go everybody! TLS FTW! Marsh Ray
- Re: [TLS] Way to go everybody! TLS FTW! Matt McCutchen
- Re: [TLS] Way to go everybody! TLS FTW! Marsh Ray
- Re: [TLS] Way to go everybody! TLS FTW! Matt McCutchen