Re: [TLS] Need for S->C signaling

To: "tls at ietf.org" <tls at ietf.org>
Subject: Re: [TLS] Need for S->C signaling
From: Nasko Oskov <noskov at microsoft.com>
Date: Thu, 19 Nov 2009 15:32:03 +0000
Accept-language: en-US
Deferred-delivery: Thu, 19 Nov 2009 15:33:00 +0000
Delivered-to: tls at core3.amsl.com
In-reply-to: <C72AC445.671C%stefan at aaa-sec.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <C72AC445.671C%stefan at aaa-sec.com>
Thread-index: Acpo9KyRPgf2+uHuMUmsQXxOU+h1aAAOJkXw
Thread-topic: Need for S->C signaling

Stefan Santesson wrote:
>Just a question to make sure we have accurately exhausted this aspect.
>
>Is it really necessary for the Server to signal that is is patched other than 
>using a modified finished calculation if it is patched/upgraded.

Yes. If you use the finished message, the attack is still possible.

>One scenario could be:
>
>1) Client use the magic cipher suite to signal that it is patched/upgraded.
>2) Client sends a normal finished message.
>3a) Un-patched server replies with normal finished message.
>3b) Patched server replies with upgraded finished message.
>
>This way the client could determine whether the server is patched or not
>and act accordingly and get the security context of renegotiate from the
>patched server.

Once the server replies with the Finished message, it would move to
connected state and the HTTP stack is clear to execute the MiTM request. As
part of developing proof of concept for our own testing, I've observed that
connecting to IIS server will send the server CCS, Finished, App data.
Even if the client were to drop the connection, the request has been
executed and attack is carried out.

>There are probably reasons why this is not a good idea. I'm just not really
>sure what they are.

Follow-Ups:
- Re: [TLS] Need for S->C signaling
  - From: Yoav Nir
- Re: [TLS] Need for S->C signaling
  - From: Stefan Santesson

References:
- [TLS] Need for S->C signaling
  - From: Stefan Santesson

Prev by Date: Re: [TLS] Proposal for hybrid solution using most of the ideas
Next by Date: Re: [TLS] Proposal for hybrid solution using most of the ideas
Previous by thread: Re: [TLS] Need for S->C signaling
Next by thread: Re: [TLS] Need for S->C signaling
Index(es):
- Date
- Thread

Re: [TLS] Need for S->C signaling

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.