Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

To: Yair Elharrar <Yair.Elharrar at audiocodes.com>
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
From: Marsh Ray <marsh at extendedsubset.com>
Date: Mon, 09 Nov 2009 07:45:35 -0600
Cc: "tls at ietf.org" <tls at ietf.org>
Delivered-to: tls at core3.amsl.com
In-reply-to: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E59A16 at ACLMAIL01.corp.audiocodes.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Openpgp: id=1E36DBF2
References: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E59A16 at ACLMAIL01.corp.audiocodes.com>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

Yair Elharrar wrote:
> The proposed draft is intended to resolve an MITM attack scenario,
> but is the new extension tamper-resistant?
> 
> Since the MITM handles all traffic between the real client and real
> server, it could add a fake extension to the 2nd ClientHello with its
> original verify_data, and empty the returned extension in the
> ServerHello.

A valid concern, which I believe is addressed by the fact that the
'Finished' message in TLS contains a MAC which covers extensions present
on the Client and Server Hellos.

IIRC, earlier SSLs did not cover extensions with a MAC.

> In addition, until such time that all clients in the world start
> supporting this extension (e.g. kiosks in airports), servers will
> have to support backward compatibility.

It will be a trade-off for each server admin to weigh and decide their
policy. I suspect many admins will prefer not to allow insecure
connections from unpatched airport kiosks.

> The MITM can downgrade every
> client by simply removing the extension from the ClientHello.

I think that is not the case with modern versions of TLS.

> Yair
> 
> 
> This email and any files transmitted with it are confidential
> material. They are intended solely for the use of the designated
> individual or entity to whom they are addressed. If the reader of
> this message is not the intended recipient, you are hereby notified
> that any dissemination, use, distribution or copying of this
> communication is strictly prohibited and may be unlawful.

Eeek!

> If you have received this email in error please immediately notify
> the sender and delete or destroy any copy of this message 

- Marsh

Follow-Ups:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Yoav Nir

References:
- [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Yair Elharrar

Prev by Date: [TLS] Could the renegotiation attack be used for session hijacking?
Next by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Previous by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.