Re: [TLS] POODLE applicability to TLS 1.0+ (was Re: Working Group Last Call for draft-ietf-tls-downgrade-scsv-00)
Brian Smith <brian@briansmith.org> Tue, 21 October 2014 06:21 UTC
Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 495621AD065 for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 23:21:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YUZvujNz5Psk for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 23:21:51 -0700 (PDT)
Received: from mail-ob0-f169.google.com (mail-ob0-f169.google.com [209.85.214.169]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 370AA1AD012 for <tls@ietf.org>; Mon, 20 Oct 2014 23:21:51 -0700 (PDT)
Received: by mail-ob0-f169.google.com with SMTP id m8so437267obr.14 for <tls@ietf.org>; Mon, 20 Oct 2014 23:21:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=lhbNHiXR/tQo7PzsOpgQPmKNMHxrZybu557l+CtGX7o=; b=F/wJer12s9GQgKlmXaIEQoK5ZTRtBpF1WVeeLEJRywybyXKWJ+cyGn7YF1Nm/0FrhT JZHoUTJ/p58k5EuEpmJDlgD/LoUgc7+TKfSlknR5Sd/6sktc2QvzAgBS7j71cDKlvFiK 4y59oV+VjucuTrGca7DyFtglG6bnDwPk9LNrzzR/8ZNUKmh2HEdqacIVnAlpBiznMDzH lFCiwt/um+bfQM+zd24/IRY2uZjfZcdDXG+Pgf3MJu3AM+LhRP2QHmswVU6YRZxyLh0Y dAP3iYDK1Grp/LnKTkgfJOWPDZzZKhbMWOP//4soxKVU8P4O8qZsjhc8jPFWn2Wp69yV z4HQ==
X-Gm-Message-State: ALoCoQnxO8e7vp17CUMWsqGxdnOaXEZdJgcjAG1MH36NRVyYFXxEG4JJWjJc2hU3ef7Tjle2Svkc
MIME-Version: 1.0
X-Received: by 10.182.245.225 with SMTP id xr1mr27787542obc.13.1413872510578; Mon, 20 Oct 2014 23:21:50 -0700 (PDT)
Received: by 10.76.93.9 with HTTP; Mon, 20 Oct 2014 23:21:50 -0700 (PDT)
In-Reply-To: <CADMpkcJGbwY9R2tQ+t0=HbhWcnqecY8r6FCW=L5Q-K89D+2mcA@mail.gmail.com>
References: <CAFewVt62pXB8+gv5ozPFSvzYeW-MJgE-61dRLpQUEWWs+0UX-A@mail.gmail.com> <CADMpkcJGbwY9R2tQ+t0=HbhWcnqecY8r6FCW=L5Q-K89D+2mcA@mail.gmail.com>
Date: Mon, 20 Oct 2014 23:21:50 -0700
Message-ID: <CAFewVt7TLPpp32_DNAQowXkfQ=CEZ5e=DKEX7UYSDa_Cdyq+ag@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Bodo Moeller <bmoeller@acm.org>
Content-Type: multipart/alternative; boundary="001a11c1c970c04aa30505e8d85e"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/pXTaHrevXLE4JOtNja7O3TvFPqY
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] POODLE applicability to TLS 1.0+ (was Re: Working Group Last Call for draft-ietf-tls-downgrade-scsv-00)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Oct 2014 06:21:53 -0000
On Mon, Oct 20, 2014 at 10:32 PM, Bodo Moeller <bmoeller@acm.org> wrote: > Brian Smith <brian@briansmith.org>: > > 2. The downgrade-scsv draft should be changed to say that implementations >> MUST always send the TLS_FALLBACK_SCSV when ClientHello.client_version >> indicates TLS 1.1 or lower if the client supports TLS 1.2. >> > > Maybe, but note that this doesn't actually help against the concrete > problem with old buggy NSS servers (because these don't handle > TLS_FALLBACK_SCSV). > First of all, even that old version of NSS is not buggy, according to the spec. My main concern isn't with old versions of NSS. My main concern is that we do not know how many TLS 1.0 servers actually check the padding, but we've assumed that all of them do, even though TLS 1.0 does not require checking the padding. Note that a 100% conformant TLS 1.0 implementation could add TLS_FALLBACK_SCSV support exactly as spec'd and still be vulnerable to POODLE if it doesn't check the padding in CBC-mode records. Again, I think this is something worth adding to the security considerations of the TLS_FALLBACK_SCSV draft. For strong protection against bugs in old protocol versions, the only > option is to disallow those versions completely. > Yes, but TLS 1.0 implementations can mitigate the risk, as most do, by checking the padding conforms to the TLS 1.0 requirements. And, so can SSL 3.0 implementations, right? Checking that SSL 3.0 CBC-mode records conform to the TLS 1.0 padding rules is likely to cause some interop problems, but those interop problems would be much less severe than disabling SSL 3.0 completely, right? I checked and most implementations of SSL 3.0 are following the TLS 1.0 padding rules in records that they send, including IE6 on XP, AFAICT. It seems to me that that is a better solution for websites that refuse to disable SSL 3.0 because they feel they need IE6 support, compared to switching to RC4-only for SSL 3.0. What do you think? Cheers, Brian
- [TLS] POODLE applicability to TLS 1.0+ (was Re: W… Brian Smith
- Re: [TLS] POODLE applicability to TLS 1.0+ (was R… Bodo Moeller
- Re: [TLS] POODLE applicability to TLS 1.0+ (was R… Brian Smith
- Re: [TLS] POODLE applicability to TLS 1.0+ (was R… Bodo Moeller