IETF Logo Mail Archive

Re: [TLS] Should we require implementations to send alerts?

Brian Smith <brian@briansmith.org> Thu, 17 September 2015 21:46 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDFA71A7007 for <tls@ietfa.amsl.com>; Thu, 17 Sep 2015 14:46:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c-p3i4oKDInB for <tls@ietfa.amsl.com>; Thu, 17 Sep 2015 14:46:40 -0700 (PDT)
Received: from mail-io0-f176.google.com (mail-io0-f176.google.com [209.85.223.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23D851A7014 for <tls@ietf.org>; Thu, 17 Sep 2015 14:46:40 -0700 (PDT)
Received: by ioiz6 with SMTP id z6so37234269ioi.2 for <tls@ietf.org>; Thu, 17 Sep 2015 14:46:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=pIsHuQcY/uraR7o5gaW63J+GnKT4XLXOOYXKIW6jYTA=; b=LC4j5xlRWF5SgZMXS3aMgSuauxxlH0R0F3Vpc/ADZ9XCqGZdV1udrrR7MaJBKk3Whj 9YMcBTX5JKL8q6ToVCIOZIQqypCEtOUR0fMNMSHHidjUoqxGkUPyarFrlAvxhen56z2K /on413JZuVlxcL4kfBzRuxvAHL0wiSXI9jsgbuicRb0E3cXMDQMb6G0WlPs6STOAFiVt vtIsnDjPC/nOLnuRK38FG6dEiwViEfBObXKlvonmK0anBj4VIx+OTsj2ape8ZdutzZ7O eoVP5++fAcEGZamc5HfrIOm+ZeoBsqbDq+/lYWo+rQxA6wxQwzey5GaYNpxdI0qeNhyO qcsA==
X-Gm-Message-State: ALoCoQnn2WX4IFF5A6vlokqNrhA3fV7VsPav+2ncOYswf/PdnBeZewYuITisBK5rGWkbhJxE4vo4
MIME-Version: 1.0
X-Received: by 10.107.18.167 with SMTP id 39mr10927316ios.34.1442526399452; Thu, 17 Sep 2015 14:46:39 -0700 (PDT)
Received: by 10.79.107.204 with HTTP; Thu, 17 Sep 2015 14:46:39 -0700 (PDT)
In-Reply-To: <20150917205004.GW13294@localhost>
References: <CABcZeBPnO4zn_HkvwLpLC+EVYN8EKOBEsR80oRt3HZgsiNGDoQ@mail.gmail.com> <CAFewVt6JAY20iXGZhufFRHSUrs5kVzP_CO2VmR5c1vaM-D_KZQ@mail.gmail.com> <20150917205004.GW13294@localhost>
Date: Thu, 17 Sep 2015 14:46:39 -0700
Message-ID: <CAFewVt4ayyOfzQBgAkSEu7R+x+0PjHbxCWd400fSLrzoQYsTAA@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
To: Nico Williams <nico@cryptonector.com>
Content-Type: multipart/alternative; boundary="001a113f2de89e795c051ff85980"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/zMYlcdWJM9pTmTbAJXxyrApOpkw>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Should we require implementations to send alerts?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2015 21:46:42 -0000

On Thu, Sep 17, 2015 at 1:50 PM, Nico Williams <nico@cryptonector.com>
wrote:

> On Wed, Sep 16, 2015 at 12:53:53PM -0700, Brian Smith wrote:
> > Further, the alerting mechanism has encouraged the unsafe practice of
> > "version fallback." It is clear from looking at the bug databases of
> > Firefox and Chrome that their attempts to make security decisions based
> on
> > what alerts they received was bad for security.
>
> Do we think that silent connection closings wouldn't also lead to
> version fallback?
>

Let's ask the browser vendors:

Browser vendors, if web servers were to stop sending alerts during
handshake failures, would you start doing version fallback when a
connection is closed?

Fatal alerts are quite handy for diagnostics on the client side, really.
>

I agree that they are often marginally useful. However, the risks
associated with the alert mechanism outweigh those benefits.


> I'd rather keep them than remove them, but I'd be OK with clients never
> sending them.  I'm OK with fata alerts being SHOULD send.


I suggest that, at most, implementations SHOULD NOT send them. IMO it would
be better to remove the alert mechanism altogether in TLS 1.3.

Most people that are arguing for retaining the alert requirements seem to
be concerned about alerts sent from the server to the client. Does anybody
think it is important to require clients to ever send alerts other than
close_notify?

Cheers,
Brian
-- 
https://briansmith.org/

v2.23.0 | Report a Bug | By Email