IETF Logo Mail Archive

Re: [TLS] The TLS_FALLBACK_SCSV time bomb

Florian Weimer <fw@deneb.enyo.de> Sun, 26 October 2014 09:08 UTC

Return-Path: <fw@deneb.enyo.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43FCC1A701A for <tls@ietfa.amsl.com>; Sun, 26 Oct 2014 02:08:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.56
X-Spam-Level:
X-Spam-Status: No, score=-1.56 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oyz55mwn4M6o for <tls@ietfa.amsl.com>; Sun, 26 Oct 2014 02:08:41 -0700 (PDT)
Received: from albireo.enyo.de (albireo.enyo.de [46.237.207.196]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FA231A7016 for <tls@ietf.org>; Sun, 26 Oct 2014 02:08:41 -0700 (PDT)
Received: from [172.17.203.2] (helo=deneb.enyo.de) by albireo.enyo.de with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) id 1XiJoU-0000br-Qm; Sun, 26 Oct 2014 10:08:38 +0100
Received: from fw by deneb.enyo.de with local (Exim 4.80) (envelope-from <fw@deneb.enyo.de>) id 1XiJoU-0004l0-JH; Sun, 26 Oct 2014 10:08:38 +0100
From: Florian Weimer <fw@deneb.enyo.de>
To: Andrei Popov <Andrei.Popov@microsoft.com>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <543F9893.806@redhat.com> <543FA0A0.1030205@polarssl.org> <543FCAED.50502@redhat.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D39ECECB4@USMBX1.msg.corp.akamai.com> <5440E005.6000607@redhat.com> <180027849.13041583.1413544466157.JavaMail.zimbra@redhat.com> <CADMpkcL2mntDd0dOruziqF0F=xURnqGgd_YkpF+ONzz8v-wQ9Q@mail.gmail.com> <1354095824.13104897.1413553221955.JavaMail.zimbra@redhat.com> <CADMpkcLRCsfQSr0=f97kXJw3RwHN5A79MYQ2j7XaxPxUy2MCLg@mail.gmail.com> <CABkgnnUBYtWUY-CZDDzFiDpMWYbca74o6kejh2Q3L+FHVaHoOA@mail.gmail.com> <d8ce6c7437404bcbbea3a17e5c0b1582@BL2PR03MB419.namprd03.prod.outlook.com> <CADMpkcK4wCkLMU_Ga2fX3CWxXyU+D1Qgg1s77ttVq6LTo50XxA@mail.gmail.com> <loom.20141018T210052-775@post.gmane.org> <cd39914207d247008c0d054e71206efc@BL2PR03MB419.namprd03.prod.outlook.com> <CADMpkc+cC6WGZ8J-=exsjBnPPtvm0gs5_VaaSzKmjqXZyJNmug@mail.gmail.com> <ad51b80ad13342f4989448f21ede2538@BL2PR03MB419.namprd03.prod.outlook.com> <87egtw84bc.fsf@mid.deneb.enyo.de> <b47b8bfc8cc548debba4e7430e297dd6@BY2PR03MB427.namprd03.prod.outlook.com>
Date: Sun, 26 Oct 2014 10:08:38 +0100
In-Reply-To: <b47b8bfc8cc548debba4e7430e297dd6@BY2PR03MB427.namprd03.prod.outlook.com> (Andrei Popov's message of "Sat, 25 Oct 2014 22:05:14 +0000")
Message-ID: <87k33nci5l.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/os8B9DZyUI7WdpCZxrCY1f6ezr0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] The TLS_FALLBACK_SCSV time bomb
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Oct 2014 09:08:43 -0000

* Andrei Popov:

> Yes, there is some truth in what you say. Downgrade-SCSV is a hack,
> but it will be hard/impossible to convince browser vendors to stop
> doing fallbacks. Perhaps that's because browsers compete on
> interoperability and connectivity, not security?

There's some discussion about disabling fallback in this Mozilla bug,
but I don't know it will turn out because I'm not familiar with
Mozilla's processes:

  <https://bugzilla.mozilla.org/show_bug.cgi?id=1084025>

What's odd is that competing on interoperability should also prevent
other useful security enhancements, but it does not happen
consistently: disabling MD5 in certificates, minimum RSA key sizes,
stricter Same-Origin Policy enforcement, click-to-play, and, more
recently, disabling SSL 3.0 by default (only announced by Mozilla so
far).  So it appears that failure-inducing security improvements are
completely off the table simply because vendors fear that users will
just switch to a browser that happens to work.

v2.40.4 | Report a Bug | By Email | System Status