Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

[Marsh Ray <marsh@extendedsubset.com>]

Yair Elharrar wrote:
> The proposed draft is intended to resolve an MITM attack scenario,
> but is the new extension tamper-resistant?
> 
> Since the MITM handles all traffic between the real client and real
> server, it could add a fake extension to the 2nd ClientHello with its
> original verify_data, and empty the returned extension in the
> ServerHello.

A valid concern, which I believe is addressed by the fact that the
'Finished' message in TLS contains a MAC which covers extensions present
on the Client and Server Hellos.

IIRC, earlier SSLs did not cover extensions with a MAC.

> In addition, until such time that all clients in the world start
> supporting this extension (e.g. kiosks in airports), servers will
> have to support backward compatibility.

It will be a trade-off for each server admin to weigh and decide their
policy. I suspect many admins will prefer not to allow insecure
connections from unpatched airport kiosks.

> The MITM can downgrade every
> client by simply removing the extension from the ClientHello.

I think that is not the case with modern versions of TLS.

> Yair
> 
> 
> This email and any files transmitted with it are confidential
> material. They are intended solely for the use of the designated
> individual or entity to whom they are addressed. If the reader of
> this message is not the intended recipient, you are hereby notified
> that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful.

Eeek!

> If you have received this email in error please immediately notify
> the sender and delete or destroy any copy of this message 

- Marsh