IETF Logo Mail Archive

Re: [Uta] "webby" STS and DANE/DNSSEC co-existence

Aaron Zauner <azet@azet.org> Fri, 15 April 2016 09:39 UTC

Return-Path: <azet@azet.org>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8151712D532 for <uta@ietfa.amsl.com>; Fri, 15 Apr 2016 02:39:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=azet.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hhTXiMyczCfU for <uta@ietfa.amsl.com>; Fri, 15 Apr 2016 02:39:51 -0700 (PDT)
Received: from mail-pf0-x233.google.com (mail-pf0-x233.google.com [IPv6:2607:f8b0:400e:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B14112D1B3 for <uta@ietf.org>; Fri, 15 Apr 2016 02:39:51 -0700 (PDT)
Received: by mail-pf0-x233.google.com with SMTP id c20so55401522pfc.1 for <uta@ietf.org>; Fri, 15 Apr 2016 02:39:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=azet.org; s=gmail; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=PCcauFKj2MnMcUxy3JrVDaw84N6uk0GWTDoCJXKCqBU=; b=UNLdBsifYm//qFxCJpVjZCd3/zEEVQ8Rh8lyZ0Nxx1DKbW04rYVQ6niDTk4yfiN5YJ GA5I9keNoerxq5aEqyxbteLUKEp9euOcU6VsU5BMeLThzMduz3laQprlWsBaIR9oLF0o gEMsBcXRKyD1bSzh/ovLuyNzn+bSyoad62iF4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=PCcauFKj2MnMcUxy3JrVDaw84N6uk0GWTDoCJXKCqBU=; b=lZ7Un7X7fapr73qpPY9Jp+DE3Ew7H7jzmij6q8K4wZG0qlz04Ykf0jUFXKMINKnXb3 5/YMwr/MA0UX0qIwHCylzqJDXgSFSbHCP83amdGUciTgpqy2wA2DIjEks8MjBJzJNu6k 4NoJ5frJc1vWQw7Y8X44jDO4BDggsHrB6TKgn+I1B23PVSLKkmmXlr0rr762NAnnHs89 qpU+3EzxdjQbsbEMoswacpLy5Qr5ocFmyn3mUNz/QTuku80KmeFndXtfp7zaHC4cHBCW 4ZeyWGj75t7AIcgwUfpVphJqPzcuV5wKwK+kxQd0NC62SR4VL7kTQCoIr5TJwl5BJTqt 6MAg==
X-Gm-Message-State: AOPr4FVtcGBV1NLvRvUA5kRFVNj/+JGqT9l8AaadTPnqNEnIB/kt1sfuYlqHkl/8/jG53w==
X-Received: by 10.98.22.79 with SMTP id 76mr16420173pfw.74.1460713190661; Fri, 15 Apr 2016 02:39:50 -0700 (PDT)
Received: from [172.20.10.7] (ppp-49-237-172-94.revip6.asianet.co.th. [49.237.172.94]) by smtp.gmail.com with ESMTPSA id 132sm13579387pfw.35.2016.04.15.02.39.47 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 15 Apr 2016 02:39:48 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
Content-Type: multipart/signed; boundary="Apple-Mail=_21A7A24E-5809-40AC-8C26-2CE9C79EF4AB"; protocol="application/pgp-signature"; micalg="pgp-sha512"
X-Pgp-Agent: GPGMail 2.6b2
From: Aaron Zauner <azet@azet.org>
In-Reply-To: <B505D600-6B68-41C5-8FE7-87687822C047@azet.org>
Date: Fri, 15 Apr 2016 16:40:26 +0700
Message-Id: <5BBDA40A-7F58-4619-B1C9-E9F3C4821DD3@azet.org>
References: <570C0CD2.9030401@cs.tcd.ie> <20160411212128.GA26423@mournblade.imrryr.org> <CANtKdUekXNkVvsfq0UjCiaaPVBgoVGfrfnYUrdoOf0EegXMuPg@mail.gmail.com> <20160413014304.GB26423@mournblade.imrryr.org> <CANtKdUf0kN5aOmX0-NsyQXz_+PRGfaXa37DFZoCX3FqdYh5CpA@mail.gmail.com> <etPan.570e8549.3d8c14b4.1614d@jcaps-rd2.us.oracle.com> <57107E44.3040108@bluepopcorn.net> <B505D600-6B68-41C5-8FE7-87687822C047@azet.org>
To: Jim Fenton <fenton@bluepopcorn.net>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/uta/iQgQS-JjKhtMZ-C9ORFWyx8C3MQ>
Cc: uta@ietf.org, Chris Newman <chris.newman@oracle.com>
Subject: Re: [Uta] "webby" STS and DANE/DNSSEC co-existence
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Apr 2016 09:39:52 -0000

> On 15 Apr 2016, at 16:36, Aaron Zauner <azet@azet.org> wrote:by these sorts of attackers?  If not, I wouldn't include those directives.
> 
> I'm not sure if that answers your question w.r.t. downgrade attacks, but a quick comment on changes between the TLS versions: TLS 1.2 introduces AEAD (authenticated encryption with associated data), these modes are currently the only ones considered secure by academia. For example: 1.1 doesn't support GCM, CCM,.. - so you end up with CBC or RC4, both of which are at the very least broken in lab settings and these attacks have been improved by quite a bit over the last couple of years, so that might be something to consider. 1.2 also removed MD5 and SHA1 as PRFs and made them configurable in cipher-suites (e.g. SHA256).

I think it's worth noting that these attacks are currently unfeasible for SMTP traffic to the best of my knowledge, but their use should be discouraged. And for e.g. RC4 an RFC exists prohibiting further use in standards.

Aaron

v2.23.0 | Report a Bug | By Email