Re: [TLS] Minutes from Tuesday
mrex@sap.com (Martin Rex) Mon, 27 October 2014 19:38 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AA321AD1EE for <tls@ietfa.amsl.com>; Mon, 27 Oct 2014 12:38:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.652
X-Spam-Level:
X-Spam-Status: No, score=-4.652 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eCtkyfhe8rnm for <tls@ietfa.amsl.com>; Mon, 27 Oct 2014 12:38:40 -0700 (PDT)
Received: from smtpde01.smtp.sap-ag.de (smtpde01.smtp.sap-ag.de [155.56.68.170]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 152901A00F6 for <tls@ietf.org>; Mon, 27 Oct 2014 12:38:34 -0700 (PDT)
Received: from mail05.wdf.sap.corp (mail05.sap.corp [194.39.131.55]) by smtpde01.smtp.sap-ag.de (Postfix) with ESMTPS id 08F7571BB9; Mon, 27 Oct 2014 20:38:32 +0100 (CET)
Received: from ld9781.wdf.sap.corp (ld9781.wdf.sap.corp [10.21.82.193]) by mail05.wdf.sap.corp (Postfix) with ESMTP id 01AD94405F; Mon, 27 Oct 2014 20:38:31 +0100 (CET)
Received: by ld9781.wdf.sap.corp (Postfix, from userid 10159) id EF06C1AF5A; Mon, 27 Oct 2014 20:38:31 +0100 (CET)
In-Reply-To: <CADMpkc+E7fPcLJPiH5g96aNDBsYu-jChkaps58z27P4z8SvvgQ@mail.gmail.com>
To: Bodo Moeller <bmoeller@acm.org>
Date: Mon, 27 Oct 2014 20:38:31 +0100
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20141027193831.EF06C1AF5A@ld9781.wdf.sap.corp>
From: mrex@sap.com
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/tygazZSsyXyau9JfxG2DxQjBPYw
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Minutes from Tuesday
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Oct 2014 19:38:46 -0000
Bodo Moeller wrote: > > Martin Rex <mrex@sap.com>: >> >> Rather than aborthing the TLS handshake, the server ought to include >> a TLS extension in the ServerHello indicating that he recognized a >> potentially inappropriate fallback and otherwise continue the TLS handshake >> in the regular fashion, leaving the decision of whether&how to continue >> entirely up to those clients who do perform insecure fallbacks. > > That would work too, but the server would then be doing all the work to > send a ServerKeyExchange even if the client is going to abort the > connection. I do believe the server load issue here to be sufficiently close to marginal to be irrelevant. Even you write somthing to this effect: > > Well, even just having to fall back to make the connection work indicates > that something is wrong -- that's not a generally expected way of > establishing a TLS connection. (Clients can gather some statistics without > sending TLS_FALLBACK_SCSV if they want to use the connection regardless.) The problem with having the server (rather than the falling-back client) abort the connection is that the client has no reliable indicator to figure out the reason for connection failures, and have to continue relying on flawed heuristics. MSIE has a similar bug in connection management that FF used to have over several years (and which could often be observed/reproduced by by hitting <F5> ("reload") quickly several times on complex pages). On MSIE, I saw it as a result of complex pages with Javascript-based navigation that performed (and killed) background downloading of images. > > It seems that the response mechanism that you propose would allow the > server to confirm to that client that the server noticed that the client > noticed that something is wrong. What would really be gained by that, > compared to what the current TLS_FALLBACK_SCSV protocol offers? It would leave the decision whether to abort or continue the handshake with the one-and-only connection peer that is (a) doing the fallback and (b) in the position to establish another connection and attempt another handshake, and (c) query the user interactively if something odd is going on. I would gladly add a server extension into ServerHello of our TLS implementation in response to a FALLBACK SCSV, whereas I will entirely ignore this proposal as is. -Martin
- Re: [TLS] Minutes from Tuesday Martin Rex
- [TLS] Minutes from Tuesday Salz, Rich
- Re: [TLS] Minutes from Tuesday Bodo Moeller
- Re: [TLS] Minutes from Tuesday Bodo Moeller
- Re: [TLS] Minutes from Tuesday Bodo Moeller
- Re: [TLS] Minutes from Tuesday Marsh Ray
- Re: [TLS] Minutes from Tuesday Adam Langley
- Re: [TLS] Minutes from Tuesday Salz, Rich
- Re: [TLS] Minutes from Tuesday Florian Weimer
- Re: [TLS] Minutes from Tuesday Martin Rex
- Re: [TLS] Minutes from Tuesday Bodo Moeller
- Re: [TLS] Minutes from Tuesday Martin Rex
- Re: [TLS] Minutes from Tuesday Manuel Pégourié-Gonnard
- Re: [TLS] Minutes from Tuesday Bodo Moeller
- Re: [TLS] Minutes from Tuesday Martin Rex
- Re: [TLS] Minutes from Tuesday Bodo Moeller
- Re: [TLS] Minutes from Tuesday Brian Smith