Re: [TLS] Next Protocol Negotiation 03
Adam Langley <agl@chromium.org> Thu, 15 November 2012 00:09 UTC
Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2303821F85C4 for <tls@ietfa.amsl.com>; Wed, 14 Nov 2012 16:09:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wAkTVajjYl83 for <tls@ietfa.amsl.com>; Wed, 14 Nov 2012 16:09:04 -0800 (PST)
Received: from mail-ie0-f172.google.com (mail-ie0-f172.google.com [209.85.223.172]) by ietfa.amsl.com (Postfix) with ESMTP id 3134B21F859A for <tls@ietf.org>; Wed, 14 Nov 2012 16:09:04 -0800 (PST)
Received: by mail-ie0-f172.google.com with SMTP id 9so1669338iec.31 for <tls@ietf.org>; Wed, 14 Nov 2012 16:09:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=utD8pm0enxgJ1Imo2c3I5tKtKwwN4+dHaIoQemrwnDk=; b=NiTF21jHZ36snY7bfJ8w3jLkcL0iFmP542b+5+AeRAruZ9oHAuYeAF0FpdSjbkg0ws XHazhTS8JgJr2DXNkD+53/EtpluUjr4nnAxJED+zzhb8Jv3Kb8EJMXD69UePohd28tVE 4biFmyxgpXWMpFACfyvMAOXd5cVpW/1ZiSxTYHzRl8V5ROMloKASB4bxhwJdFRAg+yAZ j84bwJcwltOGjRec2DO29FzfGJzDRSiRFi0AmDAsAVmZML8UwOLbptZYv/JE14g2/iz6 nfkABJRknIf5IWYszhilx4HfCy1fFF/MdRXct+uAxQCBgikc82FeA/5NNkCMfBoUWCcY jLeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :x-gm-message-state; bh=utD8pm0enxgJ1Imo2c3I5tKtKwwN4+dHaIoQemrwnDk=; b=F6la6gYGyEavPFd84lMNt3ASHGfvGXJKFl2Xeztw88FRJ5oX+nhxOVmh1KB8QeOc15 0cLq2HMToNT4GK80H9JCJUu3FwxnxNi6S4vOD9Mj/ESMkU3DVRJpuHPpK8zdiQszxwUL XYrBT+Syi+6eO8/P15PkoYtJ/1nzzrnDqyzAG89/kh+s2jt2XmP9UN/wpYJMBYi4iQgC BX7urHr9s9I1/LD9AmrKmLGamdAxcTtkVO4BQc6NVaX6OZtnDFMeJOxSipWSrQkXuEs+ Jb3cAjdFgg40nwDwmcgUMOm1ohZANRXlWcNqwqC15GgG4NNSjeT3qbt1ToDKH9+NkrDY 5lfw==
MIME-Version: 1.0
Received: by 10.50.42.168 with SMTP id p8mr618775igl.57.1352938143567; Wed, 14 Nov 2012 16:09:03 -0800 (PST)
Sender: agl@google.com
Received: by 10.231.85.9 with HTTP; Wed, 14 Nov 2012 16:09:03 -0800 (PST)
In-Reply-To: <462d1af8e2f84827abfac376f21d06d2@BN1PR03MB072.namprd03.prod.outlook.com>
References: <CAL9PXLy31VzxLidgOy64MnDAyRE=HU=hxyBXW1rgB+Xnd0vKjA@mail.gmail.com> <4F981528.9010903@gnutls.org> <CAL9PXLzWNTxOjRnVPk67anfAkWizagcAsWRWJM3ShY6oWv9PjA@mail.gmail.com> <4F985162.7040405@extendedsubset.com> <f5178418cb4549fea8e210d6a3bc22d1@BN1PR03MB072.namprd03.prod.outlook.com> <CAL9PXLx4Qc_zjDWC2z_Gg-XAZ_VVNtBun9SpHFWe6Fgs=cpYiw@mail.gmail.com> <462d1af8e2f84827abfac376f21d06d2@BN1PR03MB072.namprd03.prod.outlook.com>
Date: Wed, 14 Nov 2012 19:09:03 -0500
X-Google-Sender-Auth: pY9R6Obw88poTSRWd3qPZC2tv8A
Message-ID: <CAL9PXLycbTRiUt+UHVA7gD4gXSMO7GQtfi5JKb02hqr5kupoRw@mail.gmail.com>
From: Adam Langley <agl@chromium.org>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: text/plain; charset="UTF-8"
X-Gm-Message-State: ALoCoQmkPFxXQKmkxI6QzeJm+4vngAuTug10wgT6/feYQGEcTO0jBAEN7Nx8q+3xepnfOBMyp5Kj1uQSD2RfGLtVNTKjfN8Am9lHS/kzIwpR4G8KxYU+oF8AkD9bQwx9Kc0jX8Gc6/iJClnh1IrqXN5HEbxQSvEyRRDm2a1C8PZjtR1KFTJVA4MMuSS/78+xPpUAKZROi52i
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Next Protocol Negotiation 03
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Nov 2012 00:09:05 -0000
On Wed, Nov 14, 2012 at 6:30 PM, Andrei Popov <Andrei.Popov@microsoft.com> wrote: > Here is an example active attack which could reveal the negotiated protocol: > - MITM downgrades the cipher during TLS handshake. > - MITM can decrypt EncryptedExtensions message and find out which application protocol has been negotiated between the server and the client. > - Finished messages are exchanged, at which point the attack is detected and the session is aborted. But the attacker knows the application protocol that is likely to be negotiated between this server and this client in the future. Ah yes, I'm sorry, in my mind I was trying to think of a way to downgrade the protocol when you referenced that. That attack can certainly cause the protocol to be sent using the weakest cipher the the client supports (which is generally 3DES for the clients in question). However, I don't believe that your conclusion that this demonstrates that the complexity isn't justified is correct. I think everyone recognises that traffic is moving towards port 80 and 443 because of filtering of TCP ports by middleware. If we create another plaintext protocol negotiation then I'll be back here in a few years time with a draft for NPN2 - because the plaintext negotiation will also be the target of filtering. The fact that a middlebox can perform an active attack and get the protocol encrypted with 3DES doesn't affect that reasoning. I agree that this is shade of security gray which is generally not something that TLS deals with. None the less, I believe that it still has significant value even through it's not white: the end-to-end principle is worth defending. Cheers AGL
- [TLS] Next Protocol Negotiation 03 Adam Langley
- Re: [TLS] Next Protocol Negotiation 03 Yoav Nir
- Re: [TLS] Next Protocol Negotiation 03 Jack Lloyd
- Re: [TLS] Next Protocol Negotiation 03 Adam Langley
- Re: [TLS] Next Protocol Negotiation 03 Nikos Mavrogiannopoulos
- Re: [TLS] Next Protocol Negotiation 03 Marsh Ray
- Re: [TLS] Next Protocol Negotiation 03 Marsh Ray
- Re: [TLS] Next Protocol Negotiation 03 Adam Langley
- Re: [TLS] Next Protocol Negotiation 03 Michael D'Errico
- Re: [TLS] Next Protocol Negotiation 03 Nico Williams
- Re: [TLS] Next Protocol Negotiation 03 Adam Langley
- Re: [TLS] Next Protocol Negotiation 03 Peter Saint-Andre
- Re: [TLS] Next Protocol Negotiation 03 Michael D'Errico
- Re: [TLS] Next Protocol Negotiation 03 Nico Williams
- Re: [TLS] Next Protocol Negotiation 03 Adam Langley
- Re: [TLS] Next Protocol Negotiation 03 Nico Williams
- Re: [TLS] Next Protocol Negotiation 03 Marsh Ray
- Re: [TLS] Next Protocol Negotiation 03 Michael D'Errico
- Re: [TLS] Next Protocol Negotiation 03 Marsh Ray
- Re: [TLS] Next Protocol Negotiation 03 Martin Rex
- Re: [TLS] Next Protocol Negotiation 03 Adam Langley
- Re: [TLS] Next Protocol Negotiation 03 George Kadianakis
- Re: [TLS] Next Protocol Negotiation 03 Tom Ritter
- Re: [TLS] Next Protocol Negotiation 03 George Kadianakis
- Re: [TLS] Next Protocol Negotiation 03 Adam Langley
- Re: [TLS] Next Protocol Negotiation 03 Marsh Ray
- Re: [TLS] Next Protocol Negotiation 03 Wan-Teh Chang
- Re: [TLS] Next Protocol Negotiation 03 Marsh Ray
- Re: [TLS] Next Protocol Negotiation 03 Wan-Teh Chang
- Re: [TLS] Next Protocol Negotiation 03 Martin Rex
- Re: [TLS] Next Protocol Negotiation 03 Marsh Ray
- Re: [TLS] Next Protocol Negotiation 03 Ben Laurie
- Re: [TLS] Next Protocol Negotiation 03 Andrei Popov
- Re: [TLS] Next Protocol Negotiation 03 Adam Langley
- Re: [TLS] Next Protocol Negotiation 03 Andrei Popov
- Re: [TLS] Next Protocol Negotiation 03 Adam Langley
- Re: [TLS] Next Protocol Negotiation 03 Paul Hoffman
- Re: [TLS] Next Protocol Negotiation 03 Andrei Popov