IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 24 October 2014 14:12 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEF4D1A03A3 for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 07:12:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qkrg30kjbeEz for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 07:12:51 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A66F11A034F for <tls@ietf.org>; Fri, 24 Oct 2014 07:12:19 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id D6DB72AB109; Fri, 24 Oct 2014 14:12:15 +0000 (UTC)
Date: Fri, 24 Oct 2014 14:12:15 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20141024141215.GL19158@mournblade.imrryr.org>
References: <CAO7N=i3gC=+qcgHU=aMKtRyT7tZV5fm=9gJii-=yOpcNECOEvA@mail.gmail.com> <20141022175238.GF19158@mournblade.imrryr.org> <544837FD.202@cs.tcd.ie> <2A0EFB9C05D0164E98F19BB0AF3708C71D3AF651E4@USMBX1.msg.corp.akamai.com> <5449A667.9040105@cs.tcd.ie> <20141024133728.GI19158@mournblade.imrryr.org> <544A5BB3.4000506@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <544A5BB3.4000506@fifthhorseman.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/s7HAWleK5i8nh_mnrUoNcpnJB5A
Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2014 14:13:01 -0000

On Fri, Oct 24, 2014 at 10:01:23AM -0400, Daniel Kahn Gillmor wrote:

> arguably, there are many such "grossly-misconfigured peers" right now
> with respect to RC4 (usually because of misguided attempts to protect
> against BEAST, aiui).  These are servers that support something other
> than RC4, but select RC4 if a client offers it (even if it was the
> client's lowest priority).

[ Note I was responding to Stephen's side note about opportunistic
  security, we're no longer discussing the language of the draft. ]

Indeed if RC4 were always selected for spurious reasons, then one
might be wise to disable it.  We're not there yet, so in practice
opportunistic applications will not immediately change to adhere
to the draft.

> So the safest OS approach in the context of a strongly-deprecated cipher
> $WEAK_CIPHER, for a client that is willing to ultimately fall back to
> cleartext would be, for any given peer P:
> 
>  * connect to P and offer TLS without $WEAK_CIPHER
>  * if that fails with "no cipher overlap", then:
>     * reconnect to P and offer TLS with $WEAK_CIPHER
>     * if that fails for any reason, then:
>         * reconnect to P with cleartext.

That's too much code.  MTAs are not browsers, there are no complex
multi-pass attempts to establish TLS.  TLS either happens or does
not.  If the handshake fails, some will retry in cleartext, others
will skip to the next MX host or defer the mail.

With MTAs the remote end often has connection rate limits, and may
lower the "reputation" of clients that frequently disconnect without
completing a delivery.

> This could probably be further improved by remembering which level of
> fallback succeeded on previous attempts, and refusing to fallback further.

Sorry, MTAs don't maintain SQLite databases with peer history.
There is no interactive user to override stale pinned information.

Browser analogies and strategies work poorly or not at all when
misapplied to SMTP.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email