Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

To: David-Sarah Hopwood <david-sarah at jacaranda.org>, "tls at ietf.org" <tls at ietf.org>
Subject: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
From: Yoav Nir <ynir at checkpoint.com>
Date: Mon, 9 Nov 2009 23:05:59 +0200
Accept-language: en-US
Acceptlanguage: en-US
Delivered-to: tls at core3.amsl.com
In-reply-to: <4AF86EDF.3090004 at jacaranda.org>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <CE2A65CAAFE55048BA6682475F9A7DBF5EA6E59A16 at ACLMAIL01.corp.audiocodes.com> <4AF81CFF.8010803 at extendedsubset.com>, <4AF86EDF.3090004 at jacaranda.org>
Thread-index: Acphc8xfMZxT+T1PTp6s68b8KNQpFAAC5+JZ
Thread-topic: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

David-Sarah Hopwood wrote:

> Marsh Ray wrote:
>> Yair Elharrar wrote:
>>> In addition, until such time that all clients in the world start
>>> supporting this extension (e.g. kiosks in airports), servers will
>>> have to support backward compatibility.
>>
>> It will be a trade-off for each server admin to weigh and decide their
>> policy. I suspect many admins will prefer not to allow insecure
>> connections from unpatched airport kiosks.
>
> To prevent this attack, they don't have to disallow connections, only
> renegotiations in which the extension is not used.

Even that can be further refined. You can freely renegotiate an authenticated session, as long as the renegotiation does not involve an identity change.

Obviously, if the first handshake include client authentication, any renegotiation that includes the same client cert is fine.

If the session is authenticated by the application (as in an HTTPS login page) it's also possible to renegotiate with impunity, but the interaction here between the application and the TLS layer may be too sensitive an bug prone to specify in the draft. For example, if an SSTP server renegotiates after the client has authenticated (through PPP), I don't think there's a security risk in not implementing the extension.

Follow-Ups:
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: David-Sarah Hopwood
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Martin Rex

References:
- [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Yair Elharrar
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: Marsh Ray
- Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
  - From: David-Sarah Hopwood

Prev by Date: Re: [TLS] assert TLSext in renego-ServerHello instead of disable
Next by Date: Re: [TLS] assert TLSext in renego-ServerHello instead of disable
Previous by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by thread: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Index(es):
- Date
- Thread

Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.