Re: [TLS] An SCSV to stop TLS fallback.

Manuel Pégourié-Gonnard <mpg@elzevir.fr> Thu, 05 December 2013 08:51 UTC

Message-ID: <52A03E9A.4080507@elzevir.fr>
Date: Thu, 05 Dec 2013 09:51:38 +0100
From: Manuel Pégourié-Gonnard <mpg@elzevir.fr>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Icedove/24.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CAL9PXLzWPY5o2SeV=kUPWxznkw+3cmpbMpYifCebfqd48VW9UA@mail.gmail.com> <CACsn0ckuupJaNKXGjP63LfZiDsV5FLOqfk902O9i1oheqtAAhA@mail.gmail.com> <CAL9PXLxueY_k0XWgTrqVxqXDgvCRhAW5UEa8YjU9_rnuZ6otTA@mail.gmail.com> <CAL2p+8TXJVmnb-v3xH6uzW+rpZ+v8J65TjO32__O3ZofQiwSig@mail.gmail.com> <CAL9PXLwKxF14CUNmN=-P6mhcr+xcGw0_Aaq7amdBXZKUsrKsKA@mail.gmail.com> <CADMpkcLRNmmoMOpJ9QVFPMEbpSyu39afipWUv4Du-assHoC1rw@mail.gmail.com> <CAL9PXLx0+bYn_KXKhvFz=D_jXfctdVihaXnj=SqB6EeEqRLOSg@mail.gmail.com> <CADMpkcKvXxHwj+Rj_j8qF84aEbWJiBiXnk9t1qfh7NychraZcQ@mail.gmail.com> <CALTJjxEDXsmdzY4+OH2AFcYfMW5zY=V4PzQK3hqB1WrqjRJB+g@mail.gmail.com> <CADMpkcJO8xZ41DDnofPinm2SMkhONW7w+cODGwnVpJtB5o8OqQ@mail.gmail.com> <CALTJjxGTmSPRNWfbRrpkFQb3nBwY63fUros+4fLsXjum=q3urA@mail.gmail.com> <529F7E9D.80302@elzevir.fr> <CAL9PXLwVQ=GmZXGrh4+VEd-u1dhhvThKHfVf0qRShcR+LdExTQ@mail.gmail.com> <f30ced5319a9451080562a1d2d8004f8@BY2PR03MB074.namprd03.prod.outlook.com>
In-Reply-To: <f30ced5319a9451080562a1d2d8004f8@BY2PR03MB074.namprd03.prod.outlook.com>
OpenPGP: id=98EED379; url=https://elzevir.fr/gpg/mpg.asc
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] An SCSV to stop TLS fallback.
Precedence: list

On 05/12/2013 00:05, Marsh Ray wrote:
> So if a fallback situation was a slow-loading lousy page experience
> before, what's it going to be after legitimate servers implement this
> logic? Will servers actively *refuse* legitimate client's retry
> connections? If so, isn't this just taking an intermittent
> slow-failure situation and converting it to an even slower but
> guaranteed interop failure? If not, what good will downgrade
> protection logic be?
> 
It seems to me Adam already answered this argument, and his point was that
browsers don't retry plain HTTP connexions anyway, so the situation with
TLS_FALLBACK_SCSV with respect to intermittent failures situations will not be
very different from what it is with HTTP: the browser will show a failure page
and the user will hit the "retry" button.

So, it's not turning an intermittent failure into a permanent one: it's merely
turning an intermittent failure that may not have been visible to the user in
case a silent fallback into an intermittent failure visible to the user.

The only drawback is, as you note, the failure will be slower, compared to what
it would be without any fallback attempt. So the question is, which is worse:
1. Slowing down the display of an error message in case of intermittent failures
with a legitimate and compliant server (the situation with fallback and
TLS_FALLBACK_SCSV), or
2. Being unable to communicate with version-intolerant servers (the situation
without any fallback)?
(I leave out the 3rd option: being vulnerable to MITM downgrades, which I think
we all agree is bad.)

Manuel.

Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
[TLS] An SCSV to stop TLS fallback. Adam Langley
Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
Re: [TLS] An SCSV to stop TLS fallback. Andy Wilson
Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
Re: [TLS] An SCSV to stop TLS fallback. Trevor Perrin
Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
Re: [TLS] An SCSV to stop TLS fallback. Trevor Perrin
Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
Re: [TLS] An SCSV to stop TLS fallback. Brian Smith
Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
Re: [TLS] An SCSV to stop TLS fallback. Jack Lloyd
Re: [TLS] An SCSV to stop TLS fallback. Manger, James H
Re: [TLS] An SCSV to stop TLS fallback. Wan-Teh Chang
Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
Re: [TLS] An SCSV to stop TLS fallback. Wan-Teh Chang
Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
Re: [TLS] An SCSV to stop TLS fallback. Marsh Ray
Re: [TLS] An SCSV to stop TLS fallback. Douglas Stebila
Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
Re: [TLS] An SCSV to stop TLS fallback. James Cloos
Re: [TLS] An SCSV to stop TLS fallback. Yngve N. Pettersen
Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
Re: [TLS] An SCSV to stop TLS fallback. Marsh Ray
Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller
Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
Re: [TLS] An SCSV to stop TLS fallback. Adam Langley
Re: [TLS] An SCSV to stop TLS fallback. Daniel Kahn Gillmor
Re: [TLS] An SCSV to stop TLS fallback. Brian Smith
Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
Re: [TLS] An SCSV to stop TLS fallback. Watson Ladd
Re: [TLS] An SCSV to stop TLS fallback. Martin Rex
Re: [TLS] An SCSV to stop TLS fallback. Yaron Sheffer
Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
Re: [TLS] An SCSV to stop TLS fallback. Yaron Sheffer
Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
Re: [TLS] An SCSV to stop TLS fallback. Manuel Pégourié-Gonnard
Re: [TLS] An SCSV to stop TLS fallback. Ralf Skyper Kaiser
Re: [TLS] An SCSV to stop TLS fallback. Bodo Moeller