Re: [TLS] Proposal for hybrid solution using most of the ideas

To: Steve Dispensa <dispensa at phonefactor.com>
Subject: Re: [TLS] Proposal for hybrid solution using most of the ideas
From: Nelson B Bolyard <nelson at bolyard.me>
Date: Thu, 19 Nov 2009 00:39:55 -0800
Cc: "tls at ietf.org" <tls at ietf.org>
Delivered-to: tls at core3.amsl.com
In-reply-to: <C72A33ED.25989%dispensa at phonefactor.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
Organization: Network Security Services
References: <C72A33ED.25989%dispensa at phonefactor.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1b1pre) Gecko/20081004 NOT Firefox/2.0 SeaMonkey/2.0a2pre

On 2009-11-18 21:29 PST, Steve Dispensa wrote:
> On 11/18/09 10:10 PM, "David-Sarah Hopwood" <david-sarah at jacaranda.org> 
> wrote:
>> [...] the server needs to be patched in order for a renegotiating 
>> handshake to succeed. If it is patched, then it is TLS- and extension-
>> tolerant.
> 
> That may be(come) true, but most browsers are currently doing fallback to
> SSLv3 when things go wrong during (initial) negotiation. That code is in
> the apps, not the SSL/TLS libraries.
> 
> For that to become true, you'd have to fix all the servers to handle TLS
> (nontrivial in old code I understand) *AND* you'd have to get clients to
> stop falling back to SSLv3. They couldn't stop falling back until the 
> need to fall back (i.e., broken TLS server implementations) disappears, 
> which may take a long time when you consider old code. It will take 
> another long time for browsers to stop falling back.

Not necessarily.  When the browser community perceives that all the old
"TLS-intolerant" (and extension intolerant) servers are all vulnerable, and
when the perception of this vulnerability rises to the point where browser
makers believe their users demand a way to ensure that they no longer
connect to vulnerable servers (and hence become vulnerable), then the
support for fall-back could end rather quickly, I believe.

If the major browser makers all agree, then it might just get cut off cold
at some point.  Otherwise, it might appear as a user configurable option,
and if/when sufficient numbers of users flip that switch, and admins of
vulnerable servers see usage drop off, servers will finally get upgraded.

> So, I agree with Nasko - two mechanisms - an extension for TLS (and TLS 
> *never* sends another Client Hello without the extension), and an SSLv3 
> hack of some sort.

+1

References:
- Re: [TLS] Proposal for hybrid solution using most of the ideas
  - From: Steve Dispensa

Prev by Date: Re: [TLS] Proposal for hybrid solution using most of the ideas
Next by Date: [TLS] Need for S->C signaling
Previous by thread: Re: [TLS] Protocol version bit to use,
Next by thread: Re: [TLS] Proposal for hybrid solution using most of the ideas
Index(es):
- Date
- Thread

Re: [TLS] Proposal for hybrid solution using most of the ideas

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.