Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Marsh Ray <marsh@extendedsubset.com> Mon, 09 November 2009 13:45 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6EF913A6AD7 for <tls@core3.amsl.com>; Mon, 9 Nov 2009 05:45:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.432
X-Spam-Level:
X-Spam-Status: No, score=-2.432 tagged_above=-999 required=5 tests=[AWL=0.167, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bfnHK4lWiXqi for <tls@core3.amsl.com>; Mon, 9 Nov 2009 05:45:14 -0800 (PST)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 9D8DE3A6AD4 for <tls@ietf.org>; Mon, 9 Nov 2009 05:45:14 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1N7UYu-000IUR-Ei; Mon, 09 Nov 2009 13:45:40 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id 27DFE6673; Mon, 9 Nov 2009 13:45:39 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18EF5vytyuDZW51hzGiQPYLy/GvGrMvxUk=
Message-ID: <4AF81CFF.8010803@extendedsubset.com>
Date: Mon, 09 Nov 2009 07:45:35 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Yair Elharrar <Yair.Elharrar@audiocodes.com>
References: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E59A16@ACLMAIL01.corp.audiocodes.com>
In-Reply-To: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E59A16@ACLMAIL01.corp.audiocodes.com>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Nov 2009 13:45:15 -0000

Yair Elharrar wrote:
> The proposed draft is intended to resolve an MITM attack scenario,
> but is the new extension tamper-resistant?
> 
> Since the MITM handles all traffic between the real client and real
> server, it could add a fake extension to the 2nd ClientHello with its
> original verify_data, and empty the returned extension in the
> ServerHello.

A valid concern, which I believe is addressed by the fact that the
'Finished' message in TLS contains a MAC which covers extensions present
on the Client and Server Hellos.

IIRC, earlier SSLs did not cover extensions with a MAC.

> In addition, until such time that all clients in the world start
> supporting this extension (e.g. kiosks in airports), servers will
> have to support backward compatibility.

It will be a trade-off for each server admin to weigh and decide their
policy. I suspect many admins will prefer not to allow insecure
connections from unpatched airport kiosks.

> The MITM can downgrade every
> client by simply removing the extension from the ClientHello.

I think that is not the case with modern versions of TLS.

> Yair
> 
> 
> This email and any files transmitted with it are confidential
> material. They are intended solely for the use of the designated
> individual or entity to whom they are addressed. If the reader of
> this message is not the intended recipient, you are hereby notified
> that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful.

Eeek!

> If you have received this email in error please immediately notify
> the sender and delete or destroy any copy of this message 

- Marsh