Re: [TLS] Proposal for hybrid solution using most of the ideas

To: David-Sarah Hopwood <david-sarah at jacaranda.org>, "tls at ietf.org" <tls at ietf.org>
Subject: Re: [TLS] Proposal for hybrid solution using most of the ideas
From: Steve Dispensa <dispensa at phonefactor.com>
Date: Wed, 18 Nov 2009 23:29:49 -0600
Delivered-to: tls at core3.amsl.com
In-reply-to: <4B04C52C.4020407 at jacaranda.org>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Thread-index: Acpo2U/UpdwvHKAZtUO+MWoBpdMUTA==
Thread-topic: [TLS] Proposal for hybrid solution using most of the ideas
User-agent: Microsoft-Entourage/12.20.0.090605

On 11/18/09 10:10 PM, "David-Sarah Hopwood" <david-sarah at jacaranda.org>
wrote:
> Falling back to SSLv3 on a renegotiating handshake is not necessary,

From the client's perspective, it's an initial negotiation, not a
renegotiation. 

> because the server needs to be patched in order for a renegotiating
> handshake to succeed. If it is patched, then it is TLS- and
> extension-tolerant.

That may be(come) true, but most browsers are currently doing fallback to
SSLv3 when things go wrong during (initial) negotiation. That code is in the
apps, not the SSL/TLS libraries.

For that to become true, you'd have to fix all the servers to handle TLS
(nontrivial in old code I understand) *AND* you'd have to get clients to
stop falling back to SSLv3. They couldn't stop falling back until the need
to fall back (i.e., broken TLS server implementations) disappears, which may
take a long time when you consider old code. It will take another long time
for browsers to stop falling back.

By the way, I'm assuming requiring SSLv3 to support the extension is a
non-starter. I realize it's conceptually straightforward to add, but we're
talking about adding a major mechanism to the protocol and requiring its use
immediately and unconditionally. The client must never send another Client
Hello without this extension... If the bad guy can influence the client not
to send the extension (e.g., by pretending to be a server that barfs on
SSLv3 extensions), and so the browser retries without the extension, he's
hosed.

I have heard from at least one implementer that requiring SSLv3 clients to
send extensions would have high potential for interoperability problems.

As long as it's possible for a MitM to cause the client to omit the
extension in any way, the extension can't help the client.

Now with all that said, I still think the right solution is to use the
extension in TLS, since it's architecturally pretty clean; lots of related
arguments have been made by others along these lines already. I just think
that it's not going to work for SSLv3, and something must be done for SSLv3,
or it must be turned off completely in clients.

So, I agree with Nasko - two mechanisms - an extension for TLS (and TLS
*never* sends another Client Hello without the extension), and an SSLv3 hack
of some sort.

 -Steve

Follow-Ups:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: David-Sarah Hopwood
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Nelson B Bolyard
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Stefan Santesson

References:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: David-Sarah Hopwood

Prev by Date: Re: [TLS] simplistic renego protection
Next by Date: Re: [TLS] Proposal for hybrid solution using most of the ideas
Previous by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Next by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Index(es):
- Date
- Thread

Re: [TLS] Proposal for hybrid solution using most of the ideas

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.