Re: [TLS] Rethink TLS 1.3

This thread is wandering a bit off topic.  TLS 1.3 is a work in progress.
If you have suggestions on how to improve it please create a Pull Request (
https://github.com/tlswg/tls13-spec) or post the specific details to the
list.  Keep in mind that the discussions on starting over with TLS 1.3 are
not in scope as the Working Group has consensus to follow the current
path.  Also, as the Working Group removes and deprecates less secure
protocol options we need to keep in mind the reality of current
deployments.  Deprecating or removing widely deployed options requires
careful consideration, since these actions may result in a protocol that is
unusable and/or not deployable.

Cheers,

Joe

On Tue, Nov 25, 2014 at 7:14 AM, Watson Ladd <watsonbladd@gmail.com> wrote:

> On Tue, Nov 25, 2014 at 6:46 AM, Hubert Kario <hkario@redhat.com> wrote:
> > On Monday 24 November 2014 09:35:20 Watson Ladd wrote:
> >> On Mon, Nov 24, 2014 at 8:56 AM, Martin Rex <mrex@sap.com> wrote:
> >> > Nico Williams wrote:
> >> >> Henrick Hellström wrote:
> >> >>> Yes, but the point I am trying to make, is that if the implied goal
> >> >>> is to make TLS resilient even against BEAST/CRIME style attacks, the
> >> >>> threat model should be defined accordingly. It makes little sense to
> >> >>> ask for cryptographic review of the protocol, if it is inherently
> >> >>> unclear exactly what kind of threats the protocol is designed to
> >> >>> withstand.
> >> >>
> >> >> BEAST/CRIME are dramatic demonstrations of the capabilities of
> attackers
> >> >> in the Internet threat model.
> >> >
> >> > Nope.  BEAST, CRIME and Poodle are pretty boring demonstrations of the
> >> > ridiculous insecurity of WebBrowsers in their default
> > configuration.https://tcms.engineering.redhat.com/case/295339/
> >>
> >> So it's possible to get my Paypal login cookie if I browse to a
> >> malicious site on a fully patched browser? Because that's what BEAST
> >> enabled. Are you saying it's fine that SSL v3.0 leaks one byte per
> >> connection? Because that's POODLE. All of this was known in 2004, and
> >> not fixed in TLS 1.2
> >
> > are you suggesting that AEAD ciphers are vulnerable to them? based on
> what
> > mechanism?
> >
> > I mean, sure they are not mandatory or the only TLS 1.2 compatible
> ciphers,
> > but there are there...
>
> Fixed means fixed, not "you get to play choose your own ciphersuite,
> where most of the options are wrong". It means aggressively removing
> ciphers and protocols known to be weak. Instead of considering the job
> done when secure options have been added, we should consider it done
> when the insecure options have been removed.
>
> Sincerely,
> Watson Ladd
> >
> > --
> > Regards,
> > Hubert Kario
>
>
>
> --
> "Those who would give up Essential Liberty to purchase a little
> Temporary Safety deserve neither  Liberty nor Safety."
> -- Benjamin Franklin
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>