Re: [TLS] Renegotation redux
Nick Mathewson <nickm@torproject.org> Mon, 14 April 2014 18:40 UTC
Return-Path: <nick.a.mathewson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 387FC1A06AC for <tls@ietfa.amsl.com>; Mon, 14 Apr 2014 11:40:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.621
X-Spam-Level:
X-Spam-Status: No, score=0.621 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vQwXYocox8Qe for <tls@ietfa.amsl.com>; Mon, 14 Apr 2014 11:40:09 -0700 (PDT)
Received: from mail-la0-x231.google.com (mail-la0-x231.google.com [IPv6:2a00:1450:4010:c03::231]) by ietfa.amsl.com (Postfix) with ESMTP id 7715D1A06D9 for <tls@ietf.org>; Mon, 14 Apr 2014 11:40:07 -0700 (PDT)
Received: by mail-la0-f49.google.com with SMTP id mc6so5921617lab.22 for <tls@ietf.org>; Mon, 14 Apr 2014 11:40:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=EOAmnFZLNnn+aGZ7d458Pwtj0mbaDiXVqNAGUgiD3wE=; b=zEffu/yDtYlu+zx7hcs37ZjqwQseZeYwduOl52ycm6XsOwkxah2EubP815OHZ4upmW SQxDwXEOyuGICNK+Gl/XSpVVflPG3jZ/aSdLpJJHq8PfZck0FuuHb33dEq+yHlTonR+H mSqnTewdtjg4MODqUCIPWbZmkfszhOGY8Mh00hV9ficjjidcADod2kHtTgPX+gwWcDz/ Q5hip6I1BgVIacipsVjZLSeeKNu3Db+m34x2rkXUZFXrAcC+OTfYmbmLrS68WMcqzvQj uL3koZNGYqxeFU0+K0uLAEfy+riiBqAxCcQlk9HxKKFrwF5wqf0+YVusAHqHHFGDzoh/ q3Vg==
MIME-Version: 1.0
X-Received: by 10.152.120.168 with SMTP id ld8mr31212784lab.12.1397500804359; Mon, 14 Apr 2014 11:40:04 -0700 (PDT)
Sender: nick.a.mathewson@gmail.com
Received: by 10.112.90.5 with HTTP; Mon, 14 Apr 2014 11:40:04 -0700 (PDT)
In-Reply-To: <CACsn0c=mLgKor7PLPG0PNMYqJP9bDD1yfVeCzM0yUFwnkgMQXg@mail.gmail.com>
References: <CACsn0c=mLgKor7PLPG0PNMYqJP9bDD1yfVeCzM0yUFwnkgMQXg@mail.gmail.com>
Date: Mon, 14 Apr 2014 14:40:04 -0400
X-Google-Sender-Auth: 1wJT7B-ZaGjqL9KnVnLP9ovRMNk
Message-ID: <CAKDKvuwFgMqK-d8npBWA=9Tz83gtTWxwVB8s2y3rn=65-=-mmw@mail.gmail.com>
From: Nick Mathewson <nickm@torproject.org>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/pMtWhhCpMIQfssl7F2TIUSxTpCk
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Renegotation redux
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Apr 2014 18:40:10 -0000
On Mon, Apr 14, 2014 at 10:48 AM, Watson Ladd <watsonbladd@gmail.com> wrote: > Dear all, > > Are there any users of renegotiation beyond authentication with client > side certificates? In particular has anyone come up with a use for > changing the claimed identity of the server? > > I think we can do client authentication upgrades via a channel > extraction+signing solution while preserving the privacy currently > given by renegotiation. I haven't yet run Proverif on this solution, > so it might not work, but my intuition is that this will work better > than trying to expose the semantics of renegotiation correctly. So, I've got an example, but I hesitate to bring it up. Long ago, Tor added a link authentication mode in which we do an innocuous TLS handshake designed to look like a browser talking to a webserver, and then renegotiate with the actual parameters and certificates we wanted. The goal here was to resist attempts to block users from connecting to the network. Using renegotiation here was a mistake and a very bad design. The versions of Tor which prefer this link protocol are all deprecated now. Renegotiation was not a good solution for this problem, for a few reasons: * It only helped somewhat against blocking. It turns out that renegotiating in the way we were renegotiating was weird enough that it didn't actually make us less conspicuous. * It seriously complicated our code. * Because we depending on renegotiation, many of the workarounds for TLS renegotiation bugs broke our clients and servers. I'm only mentioning it here so nobody brings up Tor as an example of projects that need renegotiation. We would have been better off if we had never used renegotiation. Please do not cite Tor as a good use case for renegotiation. > Renegotation has been responsible for two major security issues, and > significantly complicates the TLS handshake state machine and > semantics. To add to the parade of ugliness: the presence of negotiation keeps programmers from implementing post-handshake TLS as a filter: you need a notion of "[TLS] read blocked on [TCP] write" and "[TLS] write blocked on [TCPl] read." This adds a great deal of complexity and bugginess to non-blocking programs that want to use TLS libraries. cheers, -- Nick Mathewson
- [TLS] Renegotation redux Watson Ladd
- Re: [TLS] Renegotation redux Salz, Rich
- Re: [TLS] Renegotation redux Juho Vähä-Herttua
- Re: [TLS] Renegotation redux Alyssa Rowan
- Re: [TLS] Renegotation redux Nick Mathewson
- Re: [TLS] Renegotation redux Nico Williams
- Re: [TLS] Renegotation redux Nico Williams
- Re: [TLS] Renegotation redux Watson Ladd
- Re: [TLS] Renegotation redux Nico Williams
- Re: [TLS] Renegotation redux Salz, Rich