Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego

To: tls at ietf.org
Subject: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
From: Michael D'Errico <mike-list at pobox.com>
Date: Mon, 09 Nov 2009 21:18:44 -0800
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=message-id :date:from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; s=sasl; bh=PeqMve7JU6Ju LPDLgtxJS/FDgyg=; b=Y9qo7LcTqH7rdrNfAgPFRYPCmbbgZ+C3Wh8tnrqhTgcC Qw08AsgSQtvbTYIHi79QKTjGrZGJLD3ml4/BcLGx/nzYbTYUT6bl5C8FtYjoeE3a 4KFq73w41XH2GCwyIUWiYg6EyxAQBx947fbrtbq0i+trV1B5JO3jbMYIxBCrTpc=
Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=message-id:date :from:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; q=dns; s=sasl; b=uZLzyt knGzAF74CU5y+s5KmfTi50vYtSc0p+o3747czhGDvMjGTHhrbYf+rapLc84yA4Bx e8oQJbQ3wBGGzKmNHkBr0M6gA7t8UIMRH1DKWlf/ntH7AaCIDzTyhCVU+QF/Tsn8 jLjiQGyRxEDaZjO+DffJTTRsNZWLo6YdKwba0=
In-reply-to: <4AF8EF8F.3090100 at jacaranda.org>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200911092035.nA9KZviE026489 at fs4113.wdf.sap.corp> <4AF8EF8F.3090100 at jacaranda.org>
User-agent: Thunderbird 2.0.0.23 (Macintosh/20090812)

Suppose that the client sent an SSLv3 ClientHello
with client_version = 3.1 (or higher). Assuming the server supports TLS,
then TLS will be negotiated. So when the client sends the renegotiation,
it knows that it is safe to send extensions. The attack is prevented as
long as the renegotiating handshake uses the extension; it is not necessary
for the initial handshake to have used it.


The problem is that your initial handshake *is* the renegotiation!
(from the server's point of view)

A client needs to send an empty Renegotiation_Info so that the server
can ascertain whether an attack is taking place.  Otherwise it may be
configured to let you "re"negotiate for practical reasons, and you just
bought someone a pizza.

The scary thing is that a truly paranoid client can't connect to any
unpatched server that asks for credentials immediately.

Mike

Follow-Ups:
- Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
  - From: David-Sarah Hopwood

References:
- [TLS] assert TLSext in renego-ServerHello instead of disable renego
  - From: Martin Rex
- Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
  - From: David-Sarah Hopwood

Prev by Date: Re: [TLS] draft-rescorla-tls-renegotiate and MITM resistance
Next by Date: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
Previous by thread: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
Next by thread: Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego
Index(es):
- Date
- Thread

Re: [TLS] assert TLSext in renego-ServerHello instead of disable renego

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.