IETF Logo Mail Archive

Re: [TLS] Next Protocol Negotiation 03

Adam Langley <agl@chromium.org> Thu, 15 November 2012 00:09 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2303821F85C4 for <tls@ietfa.amsl.com>; Wed, 14 Nov 2012 16:09:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wAkTVajjYl83 for <tls@ietfa.amsl.com>; Wed, 14 Nov 2012 16:09:04 -0800 (PST)
Received: from mail-ie0-f172.google.com (mail-ie0-f172.google.com [209.85.223.172]) by ietfa.amsl.com (Postfix) with ESMTP id 3134B21F859A for <tls@ietf.org>; Wed, 14 Nov 2012 16:09:04 -0800 (PST)
Received: by mail-ie0-f172.google.com with SMTP id 9so1669338iec.31 for <tls@ietf.org>; Wed, 14 Nov 2012 16:09:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=utD8pm0enxgJ1Imo2c3I5tKtKwwN4+dHaIoQemrwnDk=; b=NiTF21jHZ36snY7bfJ8w3jLkcL0iFmP542b+5+AeRAruZ9oHAuYeAF0FpdSjbkg0ws XHazhTS8JgJr2DXNkD+53/EtpluUjr4nnAxJED+zzhb8Jv3Kb8EJMXD69UePohd28tVE 4biFmyxgpXWMpFACfyvMAOXd5cVpW/1ZiSxTYHzRl8V5ROMloKASB4bxhwJdFRAg+yAZ j84bwJcwltOGjRec2DO29FzfGJzDRSiRFi0AmDAsAVmZML8UwOLbptZYv/JE14g2/iz6 nfkABJRknIf5IWYszhilx4HfCy1fFF/MdRXct+uAxQCBgikc82FeA/5NNkCMfBoUWCcY jLeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :x-gm-message-state; bh=utD8pm0enxgJ1Imo2c3I5tKtKwwN4+dHaIoQemrwnDk=; b=F6la6gYGyEavPFd84lMNt3ASHGfvGXJKFl2Xeztw88FRJ5oX+nhxOVmh1KB8QeOc15 0cLq2HMToNT4GK80H9JCJUu3FwxnxNi6S4vOD9Mj/ESMkU3DVRJpuHPpK8zdiQszxwUL XYrBT+Syi+6eO8/P15PkoYtJ/1nzzrnDqyzAG89/kh+s2jt2XmP9UN/wpYJMBYi4iQgC BX7urHr9s9I1/LD9AmrKmLGamdAxcTtkVO4BQc6NVaX6OZtnDFMeJOxSipWSrQkXuEs+ Jb3cAjdFgg40nwDwmcgUMOm1ohZANRXlWcNqwqC15GgG4NNSjeT3qbt1ToDKH9+NkrDY 5lfw==
MIME-Version: 1.0
Received: by 10.50.42.168 with SMTP id p8mr618775igl.57.1352938143567; Wed, 14 Nov 2012 16:09:03 -0800 (PST)
Sender: agl@google.com
Received: by 10.231.85.9 with HTTP; Wed, 14 Nov 2012 16:09:03 -0800 (PST)
In-Reply-To: <462d1af8e2f84827abfac376f21d06d2@BN1PR03MB072.namprd03.prod.outlook.com>
References: <CAL9PXLy31VzxLidgOy64MnDAyRE=HU=hxyBXW1rgB+Xnd0vKjA@mail.gmail.com> <4F981528.9010903@gnutls.org> <CAL9PXLzWNTxOjRnVPk67anfAkWizagcAsWRWJM3ShY6oWv9PjA@mail.gmail.com> <4F985162.7040405@extendedsubset.com> <f5178418cb4549fea8e210d6a3bc22d1@BN1PR03MB072.namprd03.prod.outlook.com> <CAL9PXLx4Qc_zjDWC2z_Gg-XAZ_VVNtBun9SpHFWe6Fgs=cpYiw@mail.gmail.com> <462d1af8e2f84827abfac376f21d06d2@BN1PR03MB072.namprd03.prod.outlook.com>
Date: Wed, 14 Nov 2012 19:09:03 -0500
X-Google-Sender-Auth: pY9R6Obw88poTSRWd3qPZC2tv8A
Message-ID: <CAL9PXLycbTRiUt+UHVA7gD4gXSMO7GQtfi5JKb02hqr5kupoRw@mail.gmail.com>
From: Adam Langley <agl@chromium.org>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: text/plain; charset="UTF-8"
X-Gm-Message-State: ALoCoQmkPFxXQKmkxI6QzeJm+4vngAuTug10wgT6/feYQGEcTO0jBAEN7Nx8q+3xepnfOBMyp5Kj1uQSD2RfGLtVNTKjfN8Am9lHS/kzIwpR4G8KxYU+oF8AkD9bQwx9Kc0jX8Gc6/iJClnh1IrqXN5HEbxQSvEyRRDm2a1C8PZjtR1KFTJVA4MMuSS/78+xPpUAKZROi52i
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Next Protocol Negotiation 03
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Nov 2012 00:09:05 -0000

On Wed, Nov 14, 2012 at 6:30 PM, Andrei Popov
<Andrei.Popov@microsoft.com> wrote:
> Here is an example active attack which could reveal the negotiated protocol:
> - MITM downgrades the cipher during TLS handshake.
> - MITM can decrypt EncryptedExtensions message and find out which application protocol has been negotiated between the server and the client.
> - Finished messages are exchanged, at which point the attack is detected and the session is aborted. But the attacker knows the application protocol that is likely to be negotiated between this server and this client in the future.

Ah yes, I'm sorry, in my mind I was trying to think of a way to
downgrade the protocol when you referenced that.

That attack can certainly cause the protocol to be sent using the
weakest cipher the the client supports (which is generally 3DES for
the clients in question).

However, I don't believe that your conclusion that this demonstrates
that the complexity isn't justified is correct. I think everyone
recognises that traffic is moving towards port 80 and 443 because of
filtering of TCP ports by middleware. If we create another plaintext
protocol negotiation then I'll be back here in a few years time with a
draft for NPN2 - because the plaintext negotiation will also be the
target of filtering.

The fact that a middlebox can perform an active attack and get the
protocol encrypted with 3DES doesn't affect that reasoning. I agree
that this is shade of security gray which is generally not something
that TLS deals with. None the less, I believe that it still has
significant value even through it's not white: the end-to-end
principle is worth defending.


Cheers

AGL

v2.23.0 | Report a Bug | By Email