Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

To: "tls at ietf.org" <tls at ietf.org>
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
From: Marsh Ray <marsh at extendedsubset.com>
Date: Mon, 09 Nov 2009 14:26:17 -0600
Delivered-to: tls at core3.amsl.com
In-reply-to: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E601B9 at ACLMAIL01.corp.audiocodes.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Openpgp: id=1E36DBF2
References: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E59A16 at ACLMAIL01.corp.audiocodes.com> <4AF81CFF.8010803 at extendedsubset.com>, <4AF86EDF.3090004 at jacaranda.org> <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E601B9 at ACLMAIL01.corp.audiocodes.com>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

Yair Elharrar wrote:
> David-Sarah Hopwood wrote:
>> To prevent this attack, they don't have to disallow connections,
>> only renegotiations in which the extension is not used.
>> 
> 
> That's a very good point. Perhaps the draft could be changed to
> reflect that? I can't see any reason why an airport kiosk would need
> to renegotiate an HTTPS connection (these devices rarely have client
> certificates installed); however it should be allowed to connect to
> secure web sites.

Here are some reasons to strongly encourage it:

A variation of the attack involves the client seeing the renegotiation
with MITM and the server sees just a single session. I believe but have
not proven that this bug is not uncommon among typical clients. If TLS
allows connections with anonymous servers (and possibly authenticated
clients), then it violates the same identity guarantee implied by the spec.

At some point in the future it will be a good indication that the client
software is poorly-maintained. Some admins will prefer not to exchange
confidential data with such systems.

Absence of the extension will also raise flags on network monitoring
equipment. Consistent usage will make detection more reliable.

Here are some reasons not to encourage it so strongly:

The attack in which the renegotiation is only seen on the client side
usually requires a logic error on the client's part, so it might not be
a concern of the TLS spec.

Somewhere, someone is doing something over TLS that is not vulnerable
because neither side ever will ever allow renegotiation. Unfortuantely,
this can only be determined by direct inspection of the code at both ends.

- Marsh

References:
- [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Yair Elharrar
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Yair Elharrar

Prev by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by Date: [TLS] assert TLSext in renego-ServerHello instead of disable renego
Previous by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.