Re: [TLS] TLS Digest, Vol 65, Issue 69
Yoav Nir <ynir@checkpoint.com> Thu, 17 December 2009 07:04 UTC
Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 316A03A6B17 for <tls@core3.amsl.com>; Wed, 16 Dec 2009 23:04:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sKQ57DDXdvvo for <tls@core3.amsl.com>; Wed, 16 Dec 2009 23:04:55 -0800 (PST)
Received: from dlpdemo.checkpoint.com (dlpdemo.checkpoint.com [194.29.32.54]) by core3.amsl.com (Postfix) with ESMTP id 0E1203A67B8 for <tls@ietf.org>; Wed, 16 Dec 2009 23:04:54 -0800 (PST)
X-CheckPoint: {4B29D727-10005-14201DC2-FFFF}
Received: by dlpdemo.checkpoint.com (Postfix, from userid 105) id 8E3E029C008; Thu, 17 Dec 2009 09:04:39 +0200 (IST)
Received: from michael.checkpoint.com (michael.checkpoint.com [194.29.32.68]) by dlpdemo.checkpoint.com (Postfix) with ESMTP id 7359729C002; Thu, 17 Dec 2009 09:04:39 +0200 (IST)
X-CheckPoint: {4B29D727-10000-14201DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.checkpoint.com [194.29.32.26]) by michael.checkpoint.com (8.12.10+Sun/8.12.10) with ESMTP id nBH74dT7010096; Thu, 17 Dec 2009 09:04:39 +0200 (IST)
Received: from il-ex01.ad.checkpoint.com ([194.29.32.26]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Thu, 17 Dec 2009 09:04:50 +0200
From: Yoav Nir <ynir@checkpoint.com>
To: Ravi Ganesan <ravi@findravi.com>
Date: Thu, 17 Dec 2009 09:04:36 +0200
Thread-Topic: [TLS] TLS Digest, Vol 65, Issue 69
Thread-Index: Acp+5zlZh0CNr+0jRsqUqQCGv5qj6A==
Message-ID: <DF4882FB-9EEC-4725-A737-AB332530A97F@checkpoint.com>
References: <mailman.5458.1261026813.32729.tls@ietf.org> <3561bdcc0912162226p1994c9eeqc7fbc192cab811a1@mail.gmail.com>
In-Reply-To: <3561bdcc0912162226p1994c9eeqc7fbc192cab811a1@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_DF4882FB9EEC4725A737AB332530A97Fcheckpointcom_"
MIME-Version: 1.0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS Digest, Vol 65, Issue 69
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2009 07:04:56 -0000
On Dec 17, 2009, at 8:26 AM, Ravi Ganesan wrote: > Ravi Ganesan wrote: >> Anyone who reads the the first documents that came out on this issue >> (http://www.phonefactor.com/sslgapdocs/Renegotiating_TLS.pdf and >> http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html) >> would be left with very different perceptions of the magnitude of the >> impact. This is not unnatural in such matters; great minds usually think >> differently...., but after all this discussion perhaps a blurb in the >> draft with advice on who should immediately patch might be useful. > > In short, everyone* needs to patch and disable compatible/insecure mode > as soon as is practical. > > *Except those who can prove that their endpoint cannot renegotiate and > will never be willing to talk to a server that can possibly renegotiate. No, even those. If any server does not patch, it will soon fail to be interoperable with clients that require patched servers. I see. Sorry, I missed that in all the discussion. Sticking to the specific case of when the Client is a browser and the Server is a web-server do the browser vendors plan to "require" patched servers? "require"? My bet is, not anytime soon. I was assuming (hoping?) that a patched browser can deal with an unpatched server gracefully without failing. I have selfish reasons for asking as I run a EV-SSL protected site, with no control over when my hosting company will upgrade, but I suspect this would be the single most impacted use case. Cheers, Ravi My guess is that when patched servers have become common enough that it's weird to have an unpatched server, browser vendors will make us go through the "Continue to this website (not recommended)"/"I understand the risks"/"Safari can't verify..."/"You need to approve or reject" ritual that they make us go through for certificate errors.
- Re: [TLS] TLS Digest, Vol 65, Issue 69 Ravi Ganesan
- Re: [TLS] TLS Digest, Vol 65, Issue 69 Yoav Nir