Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

Andrei Popov <Andrei.Popov@microsoft.com> Tue, 14 July 2015 20:06 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2809F1B2C26 for <tls@ietfa.amsl.com>; Tue, 14 Jul 2015 13:06:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xcqg70049XFo for <tls@ietfa.amsl.com>; Tue, 14 Jul 2015 13:06:21 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0116.outbound.protection.outlook.com [65.55.169.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9F281B2C27 for <tls@ietf.org>; Tue, 14 Jul 2015 13:06:20 -0700 (PDT)
Received: from BLUPR03MB1396.namprd03.prod.outlook.com (10.163.81.142) by BLUPR03MB1395.namprd03.prod.outlook.com (10.163.81.141) with Microsoft SMTP Server (TLS) id 15.1.213.14; Tue, 14 Jul 2015 20:06:19 +0000
Received: from BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) by BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) with mapi id 15.01.0213.000; Tue, 14 Jul 2015 20:06:19 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Martin Thomson <martin.thomson@gmail.com>
Thread-Topic: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
Thread-Index: AQHQuMqGail83kPeBUGeFeksHA1hqJ3QLTyAgAAI+QCAAAQ1gIAADWmAgAA2FYCAAVxcgIAAAVqAgAAEyoCAAVE1AIABlogAgAAEJoCAAAXGgIAACRQAgAADNACAAAGWgIAAA+QAgAAQkpCAAUrngIAADsEAgAAC7oCAABbWgIAANnyAgAAH4ACAAAoZgIAAB+GAgAAMDwCAAAXygIAAI+yAgAADFACAAd8BsIAACoIAgADHX/CAABhggIAAFePggAAu+ACAAADfAIAATQqAgAC4IQCAAFw0gIAAAPZAgAAKHgCAAAEsIA==
Date: Tue, 14 Jul 2015 20:06:19 +0000
Message-ID: <BLUPR03MB1396E9FC7FEB4AC9FB8BFBD28C9B0@BLUPR03MB1396.namprd03.prod.outlook.com>
References: <20150714024710.GR28047@mournblade.imrryr.org> <20150714134612.F2DFF1A1DE@ld9781.wdf.sap.corp> <20150714191613.GC28047@mournblade.imrryr.org> <BLUPR03MB13969324E4C95B2D6DC9A7558C9B0@BLUPR03MB1396.namprd03.prod.outlook.com> <CABkgnnUcte-k5rYX9yz_HOeVNCBd0cHxD6+r2nbeLqsTrdniHA@mail.gmail.com>
In-Reply-To: <CABkgnnUcte-k5rYX9yz_HOeVNCBd0cHxD6+r2nbeLqsTrdniHA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;
x-originating-ip: [2001:4898:80e0:ee43::3]
x-microsoft-exchange-diagnostics: 1; BLUPR03MB1395; 5:wgIc9XRPbuvRyPZlVDB2dhm4MeheeguJiCmb5dMlN6meSR6Mq6ieoeqv4h6tJ3teXBwJnqOa1l8G8g81xF5IT/kZiPUWJ43ssMb5vR1B7BdDeOzc/D/K43UKXR2eaZ8Wrg5YW0BRbqsHZt6OKxrzhQ==; 24:v0Y67HSjZzIpsZCxKRf5OKVfqZe1pGFypGyRbubfzHbCRZB3zHYsPLyKbM+IkuZRacvXl8eyGpjVGL2G+FaIDwPV4PgPW9yVMljZy116oEQ=; 20:O/DRypkINisWsWefO/Op97sQqQEqhWHaYZlALcg7RhEhKjMg/dWGxwdTI2NWnKES4Ksv/RFSLOfq025fs2XVUw==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB1395;
blupr03mb1395: X-MS-Exchange-Organization-RulesExecuted
x-microsoft-antispam-prvs: <BLUPR03MB13958E6EB4A9B6244327F2BB8C9B0@BLUPR03MB1395.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BLUPR03MB1395; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB1395;
x-forefront-prvs: 0637FCE711
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(13464003)(24454002)(76576001)(2950100001)(50986999)(87936001)(5001960100002)(2656002)(189998001)(74316001)(110136002)(33656002)(77156002)(2900100001)(93886004)(99286002)(46102003)(62966003)(40100003)(5002640100001)(122556002)(86362001)(106116001)(19580405001)(102836002)(76176999)(5003600100002)(86612001)(19580395003)(54356999)(92566002)(77096005)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB1395; H:BLUPR03MB1396.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jul 2015 20:06:19.2741 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB1395
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/qKBae6jvKjMKqM3mnl7b2hzP8qo>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2015 20:06:23 -0000

If opportunistic TLS handshakes need to be indistinguishable from server-authenticated TLS handshakes, then perhaps opportunistic clients have no choice but to send the signature_algorithms extension (when offering TLS1.2). The absence of signature_algorithms in a TLS 1.2 ClientHello can be used as a signal by the MITM.

-----Original Message-----
From: Martin Thomson [mailto:martin.thomson@gmail.com] 
Sent: Tuesday, July 14, 2015 12:56 PM
To: Andrei Popov
Cc: tls@ietf.org
Subject: Re: [TLS] Deprecate SHA1 for signatures in TLS 1.3 (was Re: TLS 1.3 draft-07 sneak peek)

On 14 July 2015 at 12:30, Andrei Popov <Andrei.Popov@microsoft.com> wrote:
> The downside is of course that the attacker can easily distinguish opportunistic clients from server-authenticating ones. Is this a concern for the opportunistic TLS community?

I raised the concern about this previously.  Opportunistic MitM happens, and providing a strong signal that the connection won't be (or couldn't be) authenticated somehow is a problem for that.  I'd rather have opportunistic security be indistinguishable from "real"
security.  It also means that you don't have separate code paths to support.

The anonymous modes serve a different purpose.  For instance tcpinc could use them.