Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]

Bill Frantz <frantz@pwpconsult.com> Sat, 04 June 2016 15:09 UTC

Return-Path: <frantz@pwpconsult.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B95612D178 for <tls@ietfa.amsl.com>; Sat, 4 Jun 2016 08:09:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zRxAE_hMA-01 for <tls@ietfa.amsl.com>; Sat, 4 Jun 2016 08:09:07 -0700 (PDT)
Received: from elasmtp-kukur.atl.sa.earthlink.net (elasmtp-kukur.atl.sa.earthlink.net [209.86.89.65]) by ietfa.amsl.com (Postfix) with ESMTP id 1D5FF12D135 for <tls@ietf.org>; Sat, 4 Jun 2016 08:09:06 -0700 (PDT)
Received: from [88.128.80.97] (helo=Williams-MacBook-Pro.local) by elasmtp-kukur.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from <frantz@pwpconsult.com>) id 1b9DC1-0002zv-DQ; Sat, 04 Jun 2016 11:08:55 -0400
Date: Sat, 4 Jun 2016 08:08:44 -0700
From: Bill Frantz <frantz@pwpconsult.com>
To: Hubert Kario <hkario@redhat.com>
X-Priority: 3
In-Reply-To: <1706151.1Qo9uxO9Hr@pintsize.usersys.redhat.com>
Message-ID: <r470Ps-10115i-C575378C0ADA4162BA5E7152C5185A23@Williams-MacBook-Pro.local>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
X-Mailer: Mailsmith 2.4 (470)
X-ELNK-Trace: 3a5e54fa03f1b3e21aa676d7e74259b7b3291a7d08dfec79c722cc726fb7d133989b007cf0bcc59c350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 88.128.80.97
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/q0b1UDvoU4xJkPD8A6qziTeCSbU>
Cc: tls@ietf.org
Subject: Re: [TLS] no fallbacks please [was: Downgrade protection, fallbacks, and server time]
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Jun 2016 15:09:09 -0000

On 6/3/16 at 2:28 AM, hkario@redhat.com (Hubert Kario) wrote:

>That being said, I would prefer the solution to be a compliance 
>test suite that checks if servers do handle correctly future 
>versions, future extensions and future ciphersuites correctly.

I agree with Hubert. The big question is how you get the bug 
report to the server operator.

With servers which are currently maintained, it should be 
possible, although difficult in specific instances to contact 
the owner. With servers which aren't being maintained, e.g. 
those in imbedded devices, the problem becomes much harder.

If the client has a UI, it could explain the problem to the user 
and ask if the user wants to continue with degraded security. If 
so, then always use the remembered highest supported version 
with that server domain name, with perhaps occasional reminders 
to the user of the situation.

In any case, we should be addressing our efforts to getting bugs 
fixed, not just coding around them.

Cheers - Bill

-------------------------------------------------------------------------
Bill Frantz        | The first thing you need when  | Periwinkle
(408)356-8506      | using a perimeter defense is a | 16345 
Englewood Ave
www.pwpconsult.com | perimeter.                     | Los Gatos, 
CA 95032