IETF Logo Mail Archive

Re: [TLS] The TLS_FALLBACK_SCSV time bomb (was: Re: Working Group Last Call for draft-ietf-tls-downgrade-scsv-00)

Hubert Kario <hkario@redhat.com> Fri, 17 October 2014 11:14 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1851F1AC3DC for <tls@ietfa.amsl.com>; Fri, 17 Oct 2014 04:14:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.612
X-Spam-Level:
X-Spam-Status: No, score=-2.612 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3maR2oSoFSVx for <tls@ietfa.amsl.com>; Fri, 17 Oct 2014 04:14:32 -0700 (PDT)
Received: from mx6-phx2.redhat.com (mx6-phx2.redhat.com [209.132.183.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCB281AC3D5 for <tls@ietf.org>; Fri, 17 Oct 2014 04:14:32 -0700 (PDT)
Received: from zmail11.collab.prod.int.phx2.redhat.com (zmail11.collab.prod.int.phx2.redhat.com [10.5.83.13]) by mx6-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s9HBEQqC025017; Fri, 17 Oct 2014 07:14:26 -0400
Date: Fri, 17 Oct 2014 07:14:26 -0400
From: Hubert Kario <hkario@redhat.com>
To: Florian Weimer <fweimer@redhat.com>
Message-ID: <180027849.13041583.1413544466157.JavaMail.zimbra@redhat.com>
In-Reply-To: <5440E005.6000607@redhat.com>
References: <2112FCAD-4820-49D9-9871-6501C83A554D@cisco.com> <CADMpkcLnOh3HGD+urWuo6fPfkX4WfGhwckE0jg5jS2KqD2RuMQ@mail.gmail.com> <CABkgnnWuCwOGBXG2RdetwPFn4KtVPygSBWG5qkme1mvNst6n+A@mail.gmail.com> <543F9893.806@redhat.com> <543FA0A0.1030205@polarssl.org> <543FCAED.50502@redhat.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D39ECECB4@USMBX1.msg.corp.akamai.com> <5440E005.6000607@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: [10.5.82.7]
X-Mailer: Zimbra 8.0.6_GA_5922 (ZimbraWebClient - FF32 (Linux)/8.0.6_GA_5922)
Thread-Topic: The TLS_FALLBACK_SCSV time bomb (was: Re: Working Group Last Call for draft-ietf-tls-downgrade-scsv-00)
Thread-Index: Yc+uBaMbuH5fRBJkOvsv1Ja/dIBIJg==
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/w94nSXC6BVExOIkxpJ5z6Ouyi5w
Cc: Manuel Pégourié-Gonnard <mpg@polarssl.org>, tls@ietf.org
Subject: Re: [TLS] The TLS_FALLBACK_SCSV time bomb (was: Re: Working Group Last Call for draft-ietf-tls-downgrade-scsv-00)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2014 11:14:36 -0000

----- Original Message -----
> From: "Florian Weimer" <fweimer@redhat.com>
> To: "Rich Salz" <rsalz@akamai.com>, "Manuel Pégourié-Gonnard" <mpg@polarssl.org>, "Martin Thomson"
> <martin.thomson@gmail.com>, "Bodo Moeller" <bmoeller@acm.org>
> Cc: tls@ietf.org
> Sent: Friday, 17 October, 2014 11:23:17 AM
> Subject: [TLS] The TLS_FALLBACK_SCSV time bomb (was: Re: Working Group Last Call for
> draft-ietf-tls-downgrade-scsv-00)
> 
> On 10/16/2014 03:44 PM, Salz, Rich wrote:
> >> A widely-deployed client might use TLS 1.2 with FALLBACK_SCSV
> >> unconditionally.
> >
> > A widely deployed client might also start injecting line noise into the TLS
> > stream.
> >
> > We can't control what buggy clients do.  That's not new.
> 
> You recently wrote about SSL_MODE_SEND_FALLBACK_SCSV, without any
> qualifications:
> 
> “I recommend that you always set that flag.”
> 
> <http://article.gmane.org/gmane.comp.encryption.openssl.user/52991>
> 
> Unfortunately, you are not the only one who makes this mistake.
> 
> I'm now convinced that the scenario I described is extremely likely.
> The problem, of course, is that you will not notice this bug in the
> client application until the server supports TLS 1.3, when it may be too
> late to fix it in the client.
> 
> It would be better to say that connections with TLS_FALLBACK_SCSV need
> to fail unconditionally in the server, independent of client and server
> protocol version.  This approach would essentially be a promise of the
> server to be version-tolerant (or a statement of having been updated
> recently, which hopefully amounts to the same thing).

But how can you test that the server really *is* tolerant to future
yet undefined protocol versions?

Sure, you can test if the code will accept a client hello with high
minor/major versions, but future versions may modify the initial hello
message in a way the programmers of the server didn't expect and that
actually crashes or generates a fatal error in the server (e.g. because
the server tries to parse whole hello message before looking at the
tls version).

Then to interoperate with such a server a browser would have to try
a client hello with lower version and without the SCSV to interoperate.
And we're in square zero...

>  The advantage
> that it doesn't come with the time bomb that has been built into the
> current draft.

While this is a possibility, I think the only thing we can do to prevent
that is to be explicit in the document:

"The client MUST NOT advertise TLS_FALLBACK_SCSV if it initiates connection
with the highest protocol version it supports."

-- 
Regards,
Hubert Kario
Quality Engineer, QE BaseOS Security team
Email: hkario@redhat.com
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic

v2.23.0 | Report a Bug | By Email