Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms

David Benjamin <davidben@chromium.org> Mon, 11 January 2016 23:17 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBD931A8ADF for <tls@ietfa.amsl.com>; Mon, 11 Jan 2016 15:17:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BD3H0FCi40OC for <tls@ietfa.amsl.com>; Mon, 11 Jan 2016 15:17:12 -0800 (PST)
Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56E941A8F4D for <tls@ietf.org>; Mon, 11 Jan 2016 15:17:12 -0800 (PST)
Received: by mail-ig0-x233.google.com with SMTP id h5so80643189igh.0 for <tls@ietf.org>; Mon, 11 Jan 2016 15:17:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-type; bh=EUN6prsYkvWrznhmlADeCho/Trmm6ExqI4s6ZA2/0WY=; b=l8QOo4USpw2lU4wxJ0q7QF/w6fqAmiSZiCfqEeWkvAIq7Gge7xIwjnFcvewwRMH0TN tvVYmsddlvJ6y2DDqZ4rCuz2XEW9UZnjoKgnInRX5OXExpaMa4mGBM4QkXXHpOLza8qI 7YZW7gl5XDYt3kC+Hf4bzksJhqrHboMtbelI0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-type; bh=EUN6prsYkvWrznhmlADeCho/Trmm6ExqI4s6ZA2/0WY=; b=Wr0OmxNcsCJK8x/6Tg8knmEPxPDyZml3icMDtJLeB+qhjLa3+tmZPwgXnK23ueiWDJ Qp2hELM4RLdvxFzyo2c7JiotlJzivIO4ffoUY+ypxHgy2bEi0jnCsHOZdvrHlQbUY+Ua PY+DZkxNucHlQ1Wbe3g6qjyJ3NXnOfS1OLdpipZnXT8aIFXeKtXtZdXb92NhQj7MnZDY /OtEeHEkCLTmKGxURWnbAzsZZ6Yukvd0869spQ/a7oX7erdKdhChSUjbTGyCXf8y/3H4 BdZ/ry1IPvXmNuZrdsPyHsmr5vxwiF2i1VGjkdCt1pSLw06e61D+4pmZ4YrN21FAmwiq 9hiw==
X-Gm-Message-State: ALoCoQmvuVplTYrbc0I5wSieGtKDg/2J3P6zd7d+sv7Pw34Fyt68329eikl5EkDqrca5wSFpRICvGEibFjhqUwNKCi1b2ezNYMVWk/JbO2m+KjPaCXaUoh4=
X-Received: by 10.50.171.200 with SMTP id aw8mr15267442igc.77.1452554231572; Mon, 11 Jan 2016 15:17:11 -0800 (PST)
MIME-Version: 1.0
References: <20160111183017.GA12243@roeckx.be>
In-Reply-To: <20160111183017.GA12243@roeckx.be>
From: David Benjamin <davidben@chromium.org>
Date: Mon, 11 Jan 2016 23:17:01 +0000
Message-ID: <CAF8qwaC-u-8HCTFegx+yhwSQibrrPULX0i6UaopfQrzaMS7gew@mail.gmail.com>
To: Kurt Roeckx <kurt@roeckx.be>, tls@ietf.org
Content-Type: multipart/alternative; boundary=089e010d9562fdbef50529172255
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/wpfMXnmjUs_pa_ECDklPKWPXmjw>
Subject: Re: [TLS] Deprecating TLS 1.0, 1.1 and SHA1 signature algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jan 2016 23:17:14 -0000

In terms of getting rid of TLS 1.0 and TLS 1.1 altogether, we're seeing
around 3% of connections using TLS 1.0 or TLS 1.1. That's quite high, and
it's likely that enterprise deployments are much worse.

I started gathering numbers on ServerKeyExchange hashes back in November.
The code isn't on Chrome's stable channel yet, but earlier channels say a
bit over 5% of ServerKeyExchanges are signed with SHA-1, which is also
quite high.

I also started probing servers in November and observed:
(a) Servers which always sign SHA-1.
(b) Servers which sign SHA-1 *unless* signature_algorithms omits it. Then
they sign SHA-256!?!!?
(c) Servers which sign SHA-2 but fail if signature_algorithms omits SHA-1.
The ones I looked at were all from serving SHA-1 certificates, so probably
their SSL stack compares certs against sig_algs.

(b) and (c) mean that getting a sense of the true impact will be
complicated until we finish getting SHA-1 certificates out of our system. I
have not dug into what's going on with groups (a) and (b) yet.

This all is not to say we shouldn't phase these out. But I do not expect it
to be a speedy process for browsers.

David

On Mon, Jan 11, 2016 at 1:30 PM Kurt Roeckx <kurt@roeckx.be>; wrote:

> Hi,
>
> After the SLOTH paper, we should think about starting to deprecate
> TLS 1.0 and TLS 1.1 and the SHA1 based signature algorithms in TLS
> 1.2.
>
> As I understand it, they estimate that both TLS 1.2 with SHA1 and
> TLS 1.0 and 1.1 with MD5|SHA1 currently require about 2^77 to be
> broken.  They all depend on the chosen prefix collision on SHA1,
> with the MD5 part in TLS 1.0 and 1.1 not adding much.
>
> It seems that disabling SHA1 in TLS 1.2 doesn't buy you anything
> unless you also disable TLS 1.0 and 1.1.
>
>
> Kurt
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>