IETF Logo Mail Archive

Re: [TLS] Prohibiting SSL 3.0

mrex@sap.com (Martin Rex) Fri, 31 October 2014 02:31 UTC

Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 742FE1A8A86 for <tls@ietfa.amsl.com>; Thu, 30 Oct 2014 19:31:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pWmSda4z5YHD for <tls@ietfa.amsl.com>; Thu, 30 Oct 2014 19:31:42 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EF281A8A83 for <tls@ietf.org>; Thu, 30 Oct 2014 19:31:41 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id E721054B08; Fri, 31 Oct 2014 03:31:39 +0100 (CET)
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id DA76F44A06; Fri, 31 Oct 2014 03:31:39 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id CBB741AF6E; Fri, 31 Oct 2014 03:31:39 +0100 (CET)
In-Reply-To: <CACsn0cn0CFxt-tnnkTr8OF41uLxx8SGTNM8yK90SUiJDPgcN_Q@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Date: Fri, 31 Oct 2014 03:31:39 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20141031023139.CBB741AF6E@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/pBOLTnn-2-OzfFiy_fUBQW9Sk-k
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Prohibiting SSL 3.0
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Oct 2014 02:31:44 -0000

Watson Ladd wrote:
>>
>> And recap the stated properties of the protocol:
>>
>>   https://tools.ietf.org/html/rfc5246#appendix-F
>>
>>   https://tools.ietf.org/html/rfc5246#appendix-F.2
> 
> Those sources say TLS provides a secure channel.  Maybe that means
> something different to you then me, but to me that means
> INT-PTXT+IND-CCA2, aka "looks like a wire strung between the
> machines", aka "I can do what I want, and an attacker will have no
> hope". Or was this warning intended to be "don't trust this with
> anything important, because it can bite"?

To me, the second sentence of Appendix F:

   This document makes several traditional assumptions, including that
   attackers have substantial computational resources and cannot obtain
   secret information from sources outside the protocol.

says pretty clearly that TLS is not designed to provide protection from
an attacker who can gain almost full control over one of the communication
endpoints and can exploit this to get data of his own liking and data
that the attacker would like to discover mixed according to the attackers
choice with attacker supplied data and sent over the very same TLS-protected
communication channel.


An attack which I would consider scary is one that works like an
attack against the OpenSSL CVE-2014-0224 out-of-sequence ChangeCipherSpec
implementation bug (which is not a protocol defect, mind you).

When one of the 80 million affected andoid clients (smartphones, tablets)
talks to a still-vulnerable server, then a pure network-MitM attacker
(with ZERO control over the endpoint) can get in between the two,
read and modify the entire communication in both directions to his
own liking, and neither communication will notice anything unusual
or be aware that this attack ever happened.  no errors, no unusual
delays, no additional load, no failed requests, no repeated requests
no downgrades.



-Martin

v2.23.0 | Report a Bug | By Email