Re: [TLS] simplistic renego protection

To: tls at ietf.org
Subject: Re: [TLS] simplistic renego protection
From: David-Sarah Hopwood <david-sarah at jacaranda.org>
Date: Thu, 19 Nov 2009 19:20:00 +0000
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type; bh=d6ZisDKZ/L5X13l3VgZXYTl6/D/0KRPei+aGw6TFivM=; b=PB2dh7w3QFps55lT0eYu5h/p3+ut1qd6Zao/aJNKLw/doN5RosowrrhXg+Z+MWMCqA hzzHAO2Zh7rKCC2IwJaYXk6zMa1Zf5LQWs1K6CCljDlNKWR3m2A1CiTNW3yU7wpjPPaU DlfKjB8W9PbnWhcIEjM7U0ll/4NsdxQEBssi4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; b=xilMuHKsOj1Y7/XZkn1TM06qWLcMQDkkZZ1evmMZXxdxRdHn3Onh8ubKDrQMj2DqSD XyClyqPbt2ZbTe5eEij2kyLghpN+KhE0/O7s2ixEzHFPTQmmQQoQ9Cc2nt1LJVHNqPKB 4qXpbA51GmOX9m6Fy9nGvroBms/jkSCOYttOg=
In-reply-to: <4B059716.6010309 at jacaranda.org>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <200911182000.nAIK0Qkm013905 at fs4113.wdf.sap.corp> <4B04A792.7040607 at jacaranda.org> <B197003731D4874CA41DE7B446BBA3E829CD28F1 at TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> <4B059716.6010309 at jacaranda.org>
Sender: David-Sarah Hopwood <djhopwood at googlemail.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.666

David-Sarah Hopwood wrote:
> Nasko Oskov wrote:
>> David-Sarah Hopwood wrote:
>>> Martin Rex wrote:
>>>> There are going to be components out there that will not get patched.  
>>>> They might not implement renegotiation (or have it
>>>> disabled) and they're therefore not even vulnerable.
>>>>
>>>> But we can not simply brick them (deny to talk SSL to them in the 
>>>> future).
>>>>
>>>> So Browsers will likely have to continue to offer an fallback to 
>>>> extension-less ClientHello.
>>> This is a non-sequitur. Lenient clients don't need to send the extension in the
>>> ClientHello of an initial handshake. Strict clients must not be able to talk to
>>> unpatched servers, by definition.
>> I must be misunderstanding the attack. Why is the attack not possible
>> even when client doesn't send the RI extension on initial handshake?
> 
> Because the server knows that the connection is a renegotiation from its
> point of view, and therefore it rejects any handshake that doesn't
> contain the extension.
> 
>> If the MiTM sends a client hello to the server that has no extension, then
>> the server has no way to drop the connection. This will require a strict
>> server to prevent the attack and strict server config will not be reality
>> for a long time. What am I missing?
> 
> That, in the RI approach, strict server config is essential from the start.

Point of clarification: "strict server" here means that the server does
not accept *renegotiations* with an unpatched client. It still accepts
initial handshakes.

A "strict client", OTOH, will refuse to make even initial connections to
an unpatched server. So support for lenient (as well as strict) clients
is certainly necessary, but whether support for lenient servers is needed
is much less clear.

> We haven't yet established whether the ability to support lenient servers
> is a requirement. Eric has argued against allowing that; so have I.
> If lenient servers are allowed, then I think it will take *much* longer
> until the vulnerability is eliminated from most connections.
> 
> Remember, rejecting a renegotiating ClientHello does not necessarily lead
> to an interoperability failure; it only does so if the client will not
> reconnect.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

Attachment: signature.asc
Description: OpenPGP digital signature

Follow-Ups:
- Re: [TLS] simplistic renego protection
  - From: Nelson B Bolyard
- Re: [TLS] simplistic renego protection
  - From: Nasko Oskov

References:
- Re: [TLS] simplistic renego protection
  - From: Martin Rex
- Re: [TLS] simplistic renego protection
  - From: David-Sarah Hopwood
- Re: [TLS] simplistic renego protection
  - From: David-Sarah Hopwood

Prev by Date: Re: [TLS] simplistic renego protection
Next by Date: Re: [TLS] Proposal for hybrid solution using most of the ideas
Previous by thread: Re: [TLS] simplistic renego protection
Next by thread: Re: [TLS] simplistic renego protection
Index(es):
- Date
- Thread

Re: [TLS] simplistic renego protection

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.