Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard

Bodo Moeller <bmoeller@acm.org> Fri, 16 January 2015 21:04 UTC

Return-Path: <SRS0=Nj8K=CD=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 577A01B2C20; Fri, 16 Jan 2015 13:04:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.362
X-Spam-Level: *
X-Spam-Status: No, score=1.362 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, MANGLED_BACK=2.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 337wqNtOHYk4; Fri, 16 Jan 2015 13:04:19 -0800 (PST)
Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.10]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42DA51B2C18; Fri, 16 Jan 2015 13:04:19 -0800 (PST)
Received: from mail-la0-f43.google.com ([209.85.215.43]) by mrelayeu.kundenserver.de (mreue102) with ESMTPSA (Nemesis) id 0MeSdD-1YOVJu0aaN-00QDwN; Fri, 16 Jan 2015 22:04:17 +0100
Received: by mail-la0-f43.google.com with SMTP id q1so5598017lam.2; Fri, 16 Jan 2015 13:04:16 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.112.172.194 with SMTP id be2mr17950161lbc.53.1421442256351; Fri, 16 Jan 2015 13:04:16 -0800 (PST)
Received: by 10.25.25.145 with HTTP; Fri, 16 Jan 2015 13:04:16 -0800 (PST)
In-Reply-To: <20150116210327.61046788@pc>
References: <20150109180539.22231.7270.idtracker@ietfa.amsl.com> <20150116210327.61046788@pc>
Date: Fri, 16 Jan 2015 22:04:16 +0100
Message-ID: <CADMpkcKkdhiEpJSUzsk-rEtCLhYgfMSzcFAwtVzYb96EK2hhZQ@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: ietf@ietf.org
Content-Type: multipart/alternative; boundary="001a11c34730c2380e050ccb5030"
X-Provags-ID: V03:K0:L5EDn+tCGoFmFPTR9uRdrQ+oU3M2US2rmdDINJJySqB4iGH1e1s M+dReZ93ybqNKtU76Dkor29zz4M43O9raf7wuOGRrt+ByofzTlqEnGYT6g5vkQapJWCybrv fvDMOPJQq804jrn6HDG7y77xxLkDklKomfthBI/aXG3nGlsK0lsPRgZewPnG9Dv89YtdSk4 EyBuvBWz+55dWpleu9Jiw==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/zR7GFMEqFHmnUNxEZjHRlWO_k4w>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jan 2015 21:05:27 -0000

Hanno Böck <hanno@hboeck.de>:

I think this adds further evidence that adding another workaround layer
> (SCSV) is the wrong thing to do. Instead browsers should just stop
> doing weird things with protocols that compromise security and drop
> the protocol dance completely.
>

They shouldn't have to do the downgrade dance (and indeed
draft-ietf-tls-downgrade-scsv-03 does say so), and certainly I'll be very
glad if it turns out that now they really won't have to, but I wouldn't
hold my breath.

Ideally, the server-side TLS_FALLBACK_SCSV logic will be present as dormant
code that never gets executed (because clients just don't do those
fallbacks), but which is available if and when needed again.

I hope that the Firefox change will make it into the release channel and
survive there, but note that it doesn't actually remove the downgrade dance
entirely. Rather, there's now a setting that controls whether the downgrade
dance is enabled (https://bugzilla.mozilla.org/show_bug.cgi?id=1083058)
and the plan merely is to disable this by default (
https://bugzilla.mozilla.org/show_bug.cgi?id=1084025) Also, you may be
able to enable the kludge on a per-domain basis (
https://bugzilla.mozilla.org/show_bug.cgi?id=1114816)

There's still a lot that can happen here. If the change works well enough
for the Firefox release channel (and for all other browsers), I still
expect that a bunch of users will need to enable the downgrade dance to get
HTTPS connections to legacy devices on their local networks to work. Then
it would be discomforting to not have TLS_FALLBACK_SCSV support in servers.

Also, quite clearly, we can't yet know how the TLS 1.3 (1.4, 1.5, ...)
rollout will work out.

Bodo