Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2
mrex@sap.com (Martin Rex) Fri, 24 March 2017 17:10 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C333D127337 for <tls@ietfa.amsl.com>; Fri, 24 Mar 2017 10:10:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.921
X-Spam-Level:
X-Spam-Status: No, score=-6.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0x2I7bTlGrNh for <tls@ietfa.amsl.com>; Fri, 24 Mar 2017 10:10:48 -0700 (PDT)
Received: from smtpde02.smtp.sap-ag.de (smtpde02.smtp.sap-ag.de [155.56.68.140]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3ECC212948E for <tls@ietf.org>; Fri, 24 Mar 2017 10:10:48 -0700 (PDT)
Received: from mail07.wdf.sap.corp (mail04.sap.corp [194.39.131.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtpde02.smtp.sap-ag.de (Postfix) with ESMTPS id 3vqVLG2sWxz26QL; Fri, 24 Mar 2017 18:10:46 +0100 (CET)
X-purgate-ID: 152705::1490375446-0000521C-E36329D6/0/0
X-purgate-size: 1814
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate-type: clean
X-SAP-SPAM-Status: clean
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail07.wdf.sap.corp (Postfix) with ESMTP id 3vqVLF6mG1zGpGq; Fri, 24 Mar 2017 18:10:45 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id DD8051A65C; Fri, 24 Mar 2017 18:10:45 +0100 (CET)
In-Reply-To: <CAErg=HEzxHttSOk5Kx=-0qsd3_XWfkVzf_UHZ=YVC6EBctVErQ@mail.gmail.com>
To: Ryan Sleevi <ryan-ietftls@sleevi.com>
Date: Fri, 24 Mar 2017 18:10:45 +0100
CC: TLS WG <tls@ietf.org>
Reply-To: mrex@sap.com
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20170324171045.DD8051A65C@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/r5dxMvsFNstEhZa-Tg7Jw2jsvcg>
Subject: Re: [TLS] Enforcing stronger server side signature/hash combinations in TLS 1.2
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2017 17:10:50 -0000
Ryan Sleevi wrote: > > I would say that the vast majority of servers deployed on the Internet > using commonly publicly trusted CAs have more than one chain to choose from > - often dependent on the installed trust anchors - but the servers may > simply not be aware of it, and relying on clients to do the needful (for > example, with AIA fetching). The delta of sites that don't work in Firefox > (when SHA-1 is disabled) compared to Chrome (when SHA-1 is disabled) > illustrate this - as Chrome performs the AIA fetching to find the > alternative SHA-256 paths, while Firefox does not, and requires the server > supply them. AIA-fetching is a security disaster waiting to happen, it's insecure and irresponsible. While it may be a browser's every day business to aggressively follow each and every URL received over insecure communication channels (plaintext HTTP), download the stuff and try hard to execute it without the slightest amount of risk management (i.e. perform dangerous stuff millions of time to make demonstrations of SWEET32 and attacks on RC4-bias possible), such behaviour is not what the typical programmatic client or server will do (let alone should do). Some users might have a hope that clicking a bookmarked https-URL from a freshly launched web browser would save them from their browser performing arbitrary requests for attackers. Well, if a browser performs AIA-fetching / AIA-chasing, then it is betraying its user, because the AIA-URL received in the ServerCertificate TLS handshake message is not authenticated until _after_ successful verification of the digital signature of that server certificate (at which point AIA-fetching has become unnecessary). If Chrome really does AIA-fetching (*shudder*), how can it be disabled? -Martin
- [TLS] Enforcing stronger server side signature/ha… Fries, Steffen
- Re: [TLS] Enforcing stronger server side signatur… Viktor Dukhovni
- Re: [TLS] Enforcing stronger server side signatur… Eric Rescorla
- Re: [TLS] Enforcing stronger server side signatur… Fries, Steffen
- Re: [TLS] Enforcing stronger server side signatur… Fries, Steffen
- Re: [TLS] Enforcing stronger server side signatur… Martin Rex
- Re: [TLS] Enforcing stronger server side signatur… Andrei Popov
- Re: [TLS] Enforcing stronger server side signatur… Eric Rescorla
- Re: [TLS] Enforcing stronger server side signatur… Eric Rescorla
- Re: [TLS] Enforcing stronger server side signatur… Andrei Popov
- Re: [TLS] Enforcing stronger server side signatur… Martin Rex
- Re: [TLS] Enforcing stronger server side signatur… Eric Rescorla
- Re: [TLS] Enforcing stronger server side signatur… Eric Rescorla
- Re: [TLS] Enforcing stronger server side signatur… Peter Gutmann
- Re: [TLS] Enforcing stronger server side signatur… Peter Gutmann
- Re: [TLS] Enforcing stronger server side signatur… Viktor Dukhovni
- Re: [TLS] Enforcing stronger server side signatur… Martin Thomson
- Re: [TLS] Enforcing stronger server side signatur… Viktor Dukhovni
- Re: [TLS] Enforcing stronger server side signatur… Fries, Steffen
- Re: [TLS] Enforcing stronger server side signatur… Martin Rex
- Re: [TLS] Enforcing stronger server side signatur… Salz, Rich
- Re: [TLS] Enforcing stronger server side signatur… Eric Rescorla
- Re: [TLS] Enforcing stronger server side signatur… Martin Rex
- Re: [TLS] Enforcing stronger server side signatur… Martin Rex
- Re: [TLS] Enforcing stronger server side signatur… Ryan Sleevi
- Re: [TLS] Enforcing stronger server side signatur… Martin Rex
- Re: [TLS] Enforcing stronger server side signatur… Ryan Sleevi
- Re: [TLS] Enforcing stronger server side signatur… Michael StJohns
- Re: [TLS] Enforcing stronger server side signatur… Martin Rex
- Re: [TLS] Enforcing stronger server side signatur… Eric Rescorla