IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Florian Weimer <fweimer@redhat.com> Wed, 15 October 2014 16:25 UTC

Return-Path: <fweimer@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54E921A047A for <tls@ietfa.amsl.com>; Wed, 15 Oct 2014 09:25:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1cHc4xrsz_qD for <tls@ietfa.amsl.com>; Wed, 15 Oct 2014 09:25:37 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9F8F1A88CD for <tls@ietf.org>; Wed, 15 Oct 2014 09:25:37 -0700 (PDT)
Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s9FGPYAG018119 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 15 Oct 2014 12:25:34 -0400
Received: from oldenburg.str.redhat.com (ovpn-116-46.ams2.redhat.com [10.36.116.46]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s9FGPUJG028473 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Wed, 15 Oct 2014 12:25:33 -0400
Message-ID: <543E9FFA.5030102@redhat.com>
Date: Wed, 15 Oct 2014 18:25:30 +0200
From: Florian Weimer <fweimer@redhat.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1
MIME-Version: 1.0
To: "Salz, Rich" <rsalz@akamai.com>, "tls@ietf.org" <tls@ietf.org>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <5438CFEA.7000401@brainhub.org> <543E9435.8000905@redhat.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D39ECE9C9@USMBX1.msg.corp.akamai.com> <543E9C9F.5050104@redhat.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D39ECE9D5@USMBX1.msg.corp.akamai.com>
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C71D39ECE9D5@USMBX1.msg.corp.akamai.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/p_XX_K8Zl5pPT9q7-8FdPMwIiVE
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Oct 2014 16:25:39 -0000

On 10/15/2014 06:13 PM, Salz, Rich wrote:
> It retried because there was no way to indicate "let me try again with older version"  Now there is a way to indicate that this is happening.  Servers who support better protocols will reject the connection because the browser might be unwittingly giving up valuable security properties.  Servers who don't support better protocols will complete the handshake.

Sorry, but please review the Mozilla bug and re-read what I wrote.  I 
have a feeling that we both are talking about different things.

I'm concerned that a straightforward implementation of this new SCSV in 
Firefox will introduce user-visible connection failures when the 
downgrade is caused by a (likely spurious) networking event.  It's true 
that this network failure could be introduced deliberately by an on-path 
attacker (but even the SCSV design assumes that's rare*).  It's also 
true that an attacker can disguise most attacks as networking anomalies. 
  But it's unfortunate that this SCSV has such a broad area of ambiguity 
which does not help with browser UI design at all.

I understand that the ship has sailed on this one, and that we cannot 
change the protocol anymore.  So publishing the RFC seems unavoidable at 
this point, if only to ensure the codepoint reservations stick.


*) Deploying an SCSV-enabled browser to users on an intercepting network 
will largely knock these users off the net (assuming that SCSV support 
is widely deployed in public-facing TLS termination), so such attacks 
are hopefully very isolated, or else it's not possible to deploy this 
feature in browsers.

-- 
Florian Weimer / Red Hat Product Security

v2.23.0 | Report a Bug | By Email