Re: [TLS] Comments on draft-rescorla-tls-renegotiate, and a new proposal

Nelson B Bolyard <nelson@bolyard.me> Sat, 14 November 2009 18:23 UTC

Return-Path: <nelson@bolyard.me>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 889DE3A67B0 for <tls@core3.amsl.com>; Sat, 14 Nov 2009 10:23:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qgg8urUaKzIJ for <tls@core3.amsl.com>; Sat, 14 Nov 2009 10:23:22 -0800 (PST)
Received: from smtpauth02.prod.mesa1.secureserver.net (smtpauth02.prod.mesa1.secureserver.net [64.202.165.182]) by core3.amsl.com (Postfix) with SMTP id 990F03A67A5 for <tls@ietf.org>; Sat, 14 Nov 2009 10:23:22 -0800 (PST)
Received: (qmail 1099 invoked from network); 14 Nov 2009 18:23:51 -0000
Received: from unknown (24.5.142.42) by smtpauth02.prod.mesa1.secureserver.net (64.202.165.182) with ESMTP; 14 Nov 2009 18:23:51 -0000
Message-ID: <4AFEF62B.5030303@bolyard.me>
Date: Sat, 14 Nov 2009 10:25:47 -0800
From: Nelson B Bolyard <nelson@bolyard.me>
Organization: Network Security Services
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1b1pre) Gecko/20081004 NOT Firefox/2.0 SeaMonkey/2.0a2pre
MIME-Version: 1.0
To: tls@ietf.org
References: <73843DF9-EFCB-4B8D-913E-FE2235E5BDD3@rtfm.com> <20091113005419.GQ1105@Sun.COM> <4AFE1408.9040706@jacaranda.org> <4AFE4091.10005@jacaranda.org>
In-Reply-To: <4AFE4091.10005@jacaranda.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] Comments on draft-rescorla-tls-renegotiate, and a new proposal
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Nov 2009 18:23:25 -0000

On 2009-11-13 21:30 PDT, David-Sarah Hopwood wrote:

> [*] There is a corner case in which this argument might not apply --
>     the "Step-Up" protocol, where old versions of the Netscape browser
>     would initially offer only 40-bit ciphersuites, and then renegotiate
>     to use a stronger ciphersuite if they see that a bit is set in the
>     certificate. Such browsers are obviously unpatched, and will fail to
>     renegotiate with a patched server that is using a Step-Up certificate.
> 
>     Note that "Step-Up" is different from "Server-Gated Cryptography"
>     (SGC), in which the client never completes the first handshake and
>     reconnects in a new session: SGC does not rely on renegotiation.
>     (Verisign/Thawte sells certs that support both and does not
>     distinguish between them; don't be confused by that.)
> 
>     Step-Up was a Netscape proposal, and SGC was from Microsoft.
>     I don't think that Internet Explorer ever implemented Step-Up (as
>     opposed to SGC). 

I believe that's correct, and likewise, Netscape never implemented SGC.

> Netscape only implemented it in versions 3.x and 4.x, which have numerous
> arbitrary code execution bugs that would be easier to exploit.

I would add that Mozilla browsers use TLS code inherited from Netscape.
All the Netscape and Mozilla export browsers implemented Step-Up until
the U.S. export regulations changed in the year 2000.

> So this is not a significant issue at all -- any sites that are still
> using Step-Up certs, would be well advised to just patch their servers
> and tell their users to stop using such old browser versions.

I agree, emphatically.  But I have been told that there are still CA
selling step-up certs to this day, because there are still server admins
buying them, because there are still users in the world using those old
clients.  Given the premium prices historically obtained for Step-Up
certs, I'm not optimistic that CAs will voluntarily cut off sales of
their highest margin products for the good of a few users whose systems
are hopelessly vulnerable anyway.

/Nelson Bolyard
Developer of TLS code used in Mozilla and (formerly) Netscape clients