IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00

Nikos Mavrogiannopoulos <nmav@redhat.com> Wed, 15 October 2014 12:54 UTC

Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 711EE1A6F63 for <tls@ietfa.amsl.com>; Wed, 15 Oct 2014 05:54:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kMbEdMnQFOpo for <tls@ietfa.amsl.com>; Wed, 15 Oct 2014 05:54:32 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A492C1A6F5D for <tls@ietf.org>; Wed, 15 Oct 2014 05:54:32 -0700 (PDT)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s9FCsQV3022093 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 15 Oct 2014 08:54:26 -0400
Received: from [10.34.2.127] (dhcp-2-127.brq.redhat.com [10.34.2.127]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s9FCsOmg020888 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Wed, 15 Oct 2014 08:54:25 -0400
Message-ID: <1413377664.15961.36.camel@dhcp-2-127.brq.redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: "Salz, Rich" <rsalz@akamai.com>
Date: Wed, 15 Oct 2014 14:54:24 +0200
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C71D39ECE841@USMBX1.msg.corp.akamai.com>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <543E2D81.1050700@redhat.com> <7F8CB03B-6882-41E7-9705-7126A8F2F44D@gmail.com> <CADMpkcJLrQEtiUGi9B7ZS5402cXTBvvThL9-YwUUhncaXQaVsA@mail.gmail.com> <20141015140158.41a1faf8@pc.my-domain> <2A0EFB9C05D0164E98F19BB0AF3708C71D39ECE841@USMBX1.msg.corp.akamai.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/slLaEkaFejbFrj52TxuFYq-5NFM
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Working Group Last Call for draft-ietf-tls-downgrade-scsv-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Oct 2014 12:54:34 -0000

On Wed, 2014-10-15 at 08:19 -0400, Salz, Rich wrote:
> > Can you quantify that tradeoff? How many devices are there really out there
> > that would break? I'd like to have this discussions with hard numbers.
> 
> We (Akamai) see less than 1% SSLv2 and SSLv3 traffic globally and it's concentrated to a few particular clients.  Those clients are important to some customers. They want modern browsers to be protected, by not falling back to SSLv3, but they don't want to cut off those legacy clients.  SCSV fallback solves that problem. It also will solve a problem when some browsers try to use TLS 1.3 but servers haven't been updated.
> Does that help? 

No, it is irrelevant. What matters for this decision are how many TLS
negotiation intolerant servers are out there.

regards,
Nikos

v2.23.0 | Report a Bug | By Email