IETF Logo Mail Archive

Re: [TLS] simplistic renego protection

Eric Rescorla <ekr@networkresonance.com> Tue, 17 November 2009 17:48 UTC

Return-Path: <ekr@networkresonance.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0C0803A6782 for <tls@core3.amsl.com>; Tue, 17 Nov 2009 09:48:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.02
X-Spam-Level:
X-Spam-Status: No, score=0.02 tagged_above=-999 required=5 tests=[AWL=0.515, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jYG3HVMnz1jt for <tls@core3.amsl.com>; Tue, 17 Nov 2009 09:48:36 -0800 (PST)
Received: from kilo.networkresonance.com (unknown [80.169.194.194]) by core3.amsl.com (Postfix) with ESMTP id 1885E3A6405 for <tls@ietf.org>; Tue, 17 Nov 2009 09:48:36 -0800 (PST)
Received: from kilo.local (localhost [127.0.0.1]) by kilo.networkresonance.com (Postfix) with ESMTP id 653E669FBC6; Tue, 17 Nov 2009 17:50:00 +0000 (GMT)
Date: Tue, 17 Nov 2009 17:50:00 +0000
From: Eric Rescorla <ekr@networkresonance.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <4B02A084.9030903@cs.tcd.ie>
References: <200911161725.nAGHPWaA014181@fs4113.wdf.sap.corp> <089F31C221374096B0FE619F@446E7922C82D299DB29D899F> <4B02A084.9030903@cs.tcd.ie>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20091117175000.653E669FBC6@kilo.networkresonance.com>
Cc: Chris Newman <Chris.Newman@Sun.COM>, tls@ietf.org
Subject: Re: [TLS] simplistic renego protection
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2009 17:48:37 -0000

At Tue, 17 Nov 2009 13:09:24 +0000,
Stephen Farrell wrote:
> Having watched the recent list traffic I find the above convincing.
> I'd love to see a -01 of the above containing the changes EKR has
> mentioned already, and then a WGLC on that.

I just submitted an -01 version of the draft. This includes the
following changes:

1. Clarification of the encoding of the extension per the issue
   by Eric Young and Nelson Bolyard.
2. A bunch of discussion of fallback and the downgrade issue.
3. A SHOULD level requirement that implementations which simply
   reject negotiation still provide an empty extension when
   requested by the client, thus signalling that they have
   been updated.
4. A new section 4.3.1 that describes a magic cipher suite
   to be used to prevent downgrade attack on implementations
   which fall back to no extensions on handshake failure.
   
I've left point (4) as an OPEN ISSUE because it wasn't clear to me
what the WG feeling was. My general feeling is that it's not necesary:
SSLv3 servers which upgrade to fix this issue by refusing
renegotiation can easily arrange to simply ignore the extension, at
which point no downgrade attack is possible. Servers which don't do
even this can be presumed to be vulnerable and it doesn't seem that
bad to simply fail in this small number of cases. That said, I don't
have a problem with this feature f the WG wants to since it's not
being used by negotiation but merely as a failsafe, and I thought
it was important to get a concrete proposal for this mechanism
on the table.

-Ekr

v2.23.0 | Report a Bug | By Email