IETF Logo Mail Archive

Re: [TLS] Prohibiting SSL 3.0

Watson Ladd <watsonbladd@gmail.com> Fri, 31 October 2014 03:39 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7499B1A8A94 for <tls@ietfa.amsl.com>; Thu, 30 Oct 2014 20:39:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mVA1823BcE23 for <tls@ietfa.amsl.com>; Thu, 30 Oct 2014 20:39:49 -0700 (PDT)
Received: from mail-yh0-x22a.google.com (mail-yh0-x22a.google.com [IPv6:2607:f8b0:4002:c01::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45D8C1A8A08 for <tls@ietf.org>; Thu, 30 Oct 2014 20:39:49 -0700 (PDT)
Received: by mail-yh0-f42.google.com with SMTP id 29so2500699yhl.1 for <tls@ietf.org>; Thu, 30 Oct 2014 20:39:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=3ADWxevduGrYPUvfL5kPNPx2WiZHkK9cU8A9xz8XNPo=; b=0m7nBkqmjLE955uFFGe16ExmiAvyZAVX16FrsPAiQOEzBn17wsVDmIouMCBnz1SRKW Cu3vgvTqxTN8xJU3HSTlNrFYfACiUSg6eQNbME5R4EvTIMdbGHj8ttXmaVIS+9mPNTl3 nifUT2ToPHSjfanZlQT5HYl405HRDkfQF5s0l7fUQn4IWpTK2JJS2Y12gp9ojQL82fAH HUN2sg2BWIoyd5LAw3AjJrTvirWYHNyBLYQbS1OlRQLoMZBetJagMPKQ2S4qCVYLsitu Fc075Bm0oB35vHch1QSsYoOyckQDN2Q54m5+Ypy0EGjar6JKhTLf1rAuzxN4c6sidIRj 2RfA==
MIME-Version: 1.0
X-Received: by 10.170.214.6 with SMTP id g6mr2233475ykf.34.1414726788578; Thu, 30 Oct 2014 20:39:48 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Thu, 30 Oct 2014 20:39:48 -0700 (PDT)
In-Reply-To: <20141031023139.CBB741AF6E@ld9781.wdf.sap.corp>
References: <CACsn0cn0CFxt-tnnkTr8OF41uLxx8SGTNM8yK90SUiJDPgcN_Q@mail.gmail.com> <20141031023139.CBB741AF6E@ld9781.wdf.sap.corp>
Date: Thu, 30 Oct 2014 20:39:48 -0700
Message-ID: <CACsn0cmX3UtAEAykMFiSaAWRAoJ8v7ra=t2WSC1WvjsG+t6VXg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "mrex@sap.com" <mrex@sap.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/tQ-lgt7EMob99QEyhE42MeJCnV4
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Prohibiting SSL 3.0
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Oct 2014 03:39:51 -0000

On Thu, Oct 30, 2014 at 7:31 PM, Martin Rex <mrex@sap.com> wrote:
> Watson Ladd wrote:
>>>
>>> And recap the stated properties of the protocol:
>>>
>>>   https://tools.ietf.org/html/rfc5246#appendix-F
>>>
>>>   https://tools.ietf.org/html/rfc5246#appendix-F.2
>>
>> Those sources say TLS provides a secure channel.  Maybe that means
>> something different to you then me, but to me that means
>> INT-PTXT+IND-CCA2, aka "looks like a wire strung between the
>> machines", aka "I can do what I want, and an attacker will have no
>> hope". Or was this warning intended to be "don't trust this with
>> anything important, because it can bite"?
>
> To me, the second sentence of Appendix F:
>
>    This document makes several traditional assumptions, including that
>    attackers have substantial computational resources and cannot obtain
>    secret information from sources outside the protocol.
>
> says pretty clearly that TLS is not designed to provide protection from
> an attacker who can gain almost full control over one of the communication
> endpoints and can exploit this to get data of his own liking and data
> that the attacker would like to discover mixed according to the attackers
> choice with attacker supplied data and sent over the very same TLS-protected
> communication channel.

So SSL v3 was not intended for use with browsers, despite being
developed by Netscape for use in browsers? And later versions were
also not for use in browsers? And despite the fact that TLS 1.1 fixed
bugs in TLS 1.0 that were only exploitable through doing the very
thing you insist TLS wasn't designed to handle, TLS 1.1 wasn't
designed to work in browsers either? Isn't this an argument that
browsers should not use SSL v3, and servers shouldn't either?

Is this argument leading to "let's make a protocol that works for
browsers"? Or is it leading to "let's not use browsers"?


> An attack which I would consider scary is one that works like an
> attack against the OpenSSL CVE-2014-0224 out-of-sequence ChangeCipherSpec
> implementation bug (which is not a protocol defect, mind you).
>
> When one of the 80 million affected andoid clients (smartphones, tablets)
> talks to a still-vulnerable server, then a pure network-MitM attacker
> (with ZERO control over the endpoint) can get in between the two,
> read and modify the entire communication in both directions to his
> own liking, and neither communication will notice anything unusual
> or be aware that this attack ever happened.  no errors, no unusual
> delays, no additional load, no failed requests, no repeated requests
> no downgrades.

What makes you think that noisy attacks get noticed and stopped?

>
>
>
> -Martin



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin
>
>

v2.23.0 | Report a Bug | By Email