IETF Logo Mail Archive

Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv

Andrei Popov <Andrei.Popov@microsoft.com> Tue, 28 January 2014 01:04 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B95B41A039E for <tls@ietfa.amsl.com>; Mon, 27 Jan 2014 17:04:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vWYZy9NJwjtE for <tls@ietfa.amsl.com>; Mon, 27 Jan 2014 17:04:46 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0181.outbound.protection.outlook.com [207.46.163.181]) by ietfa.amsl.com (Postfix) with ESMTP id A931F1A02DA for <tls@ietf.org>; Mon, 27 Jan 2014 17:04:45 -0800 (PST)
Received: from BL2PR03MB419.namprd03.prod.outlook.com (10.141.92.18) by BL2PR03MB418.namprd03.prod.outlook.com (10.141.92.13) with Microsoft SMTP Server (TLS) id 15.0.859.15; Tue, 28 Jan 2014 01:04:41 +0000
Received: from BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) by BL2PR03MB419.namprd03.prod.outlook.com ([10.141.92.18]) with mapi id 15.00.0859.020; Tue, 28 Jan 2014 01:04:41 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: "mrex@sap.com" <mrex@sap.com>, Bodo Moeller <bmoeller@acm.org>
Thread-Topic: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv
Thread-Index: AQHPGCLYtuT5cbQOIEmjzG1QZtPhb5qY2GuAgAAk7YCAAE8UgIAAB82Q
Date: Tue, 28 Jan 2014 01:04:40 +0000
Message-ID: <828b043cac0f4b62875d00f31d2f92e3@BL2PR03MB419.namprd03.prod.outlook.com>
References: <CADMpkcJ4viFwzU9u0uP41Niaopja8PZFowjOALVr3VA1vJ7Uow@mail.gmail.com> <20140128001737.D9D581ABC9@ld9781.wdf.sap.corp>
In-Reply-To: <20140128001737.D9D581ABC9@ld9781.wdf.sap.corp>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2001:4898:80e8:ed31::3]
x-forefront-prvs: 0105DAA385
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(164054003)(13464003)(24454002)(189002)(199002)(377454003)(51704005)(54356001)(76482001)(46102001)(53806001)(15975445006)(33646001)(74662001)(47446002)(74502001)(87266001)(31966008)(51856001)(2656002)(50986001)(93516002)(47976001)(85306002)(76576001)(76796001)(76786001)(69226001)(87936001)(81686001)(81816001)(4396001)(49866001)(47736001)(56776001)(81342001)(19580395003)(93136001)(80022001)(92566001)(74316001)(81542001)(80976001)(90146001)(54316002)(86362001)(65816001)(74706001)(83322001)(19580405001)(56816005)(85852003)(83072002)(59766001)(77982001)(74876001)(63696002)(79102001)(561944002)(74366001)(94316002)(3826001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BL2PR03MB418; H:BL2PR03MB419.namprd03.prod.outlook.com; CLIP:2001:4898:80e8:ed31::3; FPR:; InfoNoRecordsMX:1; A:1; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jan 2014 01:04:47 -0000

For my understanding: why is this proposal vitally dependent on the server sending inappropriate_fallback alert? If the server receives the SCSV, has a higher protocol version enabled than that in the ClientHello, and quietly aborts the handshake, isn't the downgrade attack thwarted?

Thanks,

Andrei

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Martin Rex
Sent: Monday, January 27, 2014 4:18 PM
To: Bodo Moeller
Cc: tls@ietf.org
Subject: Re: [TLS] Call for acceptance of draft-moeller-tls-downgrade-scsv

Bodo Moeller wrote:
> Michael D'Errico <mike-list@pobox.com>:
>>
>> We should consider whether we can define a single SCSV that a client 
>> issues when it thinks a server is extension intolerant.
>>
>> Such an SCSV could be used in conjunction with a normal extension 
>> used for downgrade protection, if the client gets pushed all the way 
>> back to TLSv1.0 without extensions, or to SSLv3.
>>
>> This approach could solve the problem of desiring more SCSVs in the 
>> future.
> 
> Hm, that would mean having the SCSV for special-case downgrade 
> protection (extension intolerance) and an extension for general-case 
> downgrade protection (when extension intolerance is not an issue).  
> That means requiring more code to be added to servers (to *all* 
> servers, since these mechanisms only work as intended if all servers support them).

But you _are_ aware that your proposal is vitally dependent that the TLS server puts a fatal SSL alert on the wire before closing the connection?  Historically, (close to) all applications running on top of Microsoft SChannel (including MSIE client and IIS server) do not send any fatal alerts before closing connections, because they use a transport-free API (Microsoft SSPI, similar to GSS-API) to their TLS implementation, and the application code does not support
(a) processing a fatal error messages and (b) sending tokens over the network at the same time.  It's basically the same reason why the forwarding of error tokens and outputs of "gss_delete_sec_context()"
was deprecated in GSS-API v2 -- because most apps will simple refuse to do it.

It would not be possible to hide such a change in behaviour (writing a fatal alert to the network before closing the connection) within SChannel, it would also require a change to at least Microsoft IIS.
How likely is that going to happen?  (It's been the way it is not for the last ~14 years...).


Which server implementers are eager to send such a fatal alert as is contained in this proposal anyway?  I will certainly ensure that our server implementation will NEVER grow such silly behaviour.

-Martin
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email