Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

To: ynir at checkpoint.com (Yoav Nir)
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
From: Martin Rex <mrex at sap.com>
Date: Mon, 9 Nov 2009 17:46:32 +0100 (MET)
Cc: tls at ietf.org
Delivered-to: tls at core3.amsl.com
In-reply-to: <B1F20B37-462E-4224-9536-3DBF1B080831 at checkpoint.com> from "Yoav Nir" at Nov 9, 9 03:53:21 pm
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Reply-to: mrex at sap.com

Yoav Nir wrote:
> 
> On Nov 9, 2009, at 3:45 PM, Marsh Ray wrote:
> 
> > Yair Elharrar wrote:
> >> The proposed draft is intended to resolve an MITM attack scenario,
> >> but is the new extension tamper-resistant?

It is tamper resistent in the same fashion as the rest of SSL/TLS.
No more, but also no less!

>
> > IIRC, earlier SSLs did not cover extensions with a MAC.

Those that have this problem are not interoperable with a
TLS+extensions handshake (which might be why some browsers added
a handshake retry mechanism for a naked SSLv3 ClientHello.

> 
> I think SSLv3 did not allow for client extensions at all, and TLSv1.0  
> already covered everything.

The problem with SSLv3 is, that the spec was finalized after the
implementations had been shipped.  :-|

If I refer to SSLv3, I always base my assuption on the
SSLv3 internet draft document from Nov 18, 1996 document, which was
the starting point for TLS v1.0.  It contains the following note
at the top of page 24 (5.6.1.2. ClientHello):

   Forward compatibility note:
                  In the interests of forward compatibility, it is
                  permitted for a client hello message to include
                  extra data after the compression methods.  This data
                  must be included in the handshake hashes, but must
                  otherwise be ignored.

Which means in principle that SSLv3 allows extensions to be used,
and the extra data will be integrity protected by the finished messages
of the handshake.

If you look at the TLSv1.0 spec (rfc2246) and TLSv1.1 spec (rfc4346),
neither contains extension data in the ServerHello in the base spec.

Is there a reason why TLS extensions should _NOT_ be applicable
to SSLv3 in just the same way they're applicable to TLSv1.0 and TLSv1.1 ?

There may be SSLv3 servers out there that choke on extension data
in the ClientHello.  But that doesn't mean that one could not
upgrade SSLv3 servers to support TLS extensions.  The more interesting
question is IMHO -- which TLS clients will choke when an SSLv3 server
returns a ServerHello extension?  spec-wise, a ServerHello extension
is as unusual to SSLv3 as it is to TLSv1.0.

-Martin

Follow-Ups:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Martin Rex

References:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Yoav Nir

Prev by Date: Re: [TLS] Implementing https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegot iate.txt
Next by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Previous by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.