Re: [TLS] simplistic renego protection

To: tls at ietf.org
Subject: Re: [TLS] simplistic renego protection
From: David-Sarah Hopwood <david-sarah at jacaranda.org>
Date: Fri, 20 Nov 2009 18:41:27 +0000
Delivered-to: tls at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type; bh=9i0+mCD+LSL4+Df5NjAy5ArQ6urxZm6TAamavgB8RXk=; b=moOPK7xX6bLQxZdNWkmOew77GAZB9UppjqeP//b0RN3ao2msUFT4v4fXGw5ddHlkDI xugImQkwmfNgtHCHIpfwEHrS2zbq+a/MAfg4/jsU+AOPhCBfm/w8ov0KlEGFg2ovozbE +G6to6cqp+M9Jiep/kp9WfELlIVkbvps6aKLM=
Domainkey-signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:subject :references:in-reply-to:x-enigmail-version:content-type; b=T+wdP3hJaPCNXPHLdrWB3GfBaPapjOiqsT4E9Irz8lucnNpgBvsyGiE5Op8/Jz2Awc cMyPTeF8bH0rbSUxong+DOdnzJISy1wgDJ5UcLicBLBuUSRyz9eJd1kUENiuNoSEr90N kDeJIvrvmvR/Hw7TEYY5Yt1xfR7VaTalot9h8=
In-reply-to: <C72BFA89.67A2%stefan at aaa-sec.com>
List-archive: <http://www.ietf.org/mail-archive/web/tls>
List-help: <mailto:tls-request@ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-post: <mailto:tls@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
References: <C72BFA89.67A2%stefan at aaa-sec.com>
Sender: David-Sarah Hopwood <djhopwood at googlemail.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.3) Gecko/20070326 Thunderbird/2.0.0.0 Mnenhy/0.7.5.666

Stefan Santesson wrote:
> On 09-11-20 5:24 AM, "Michael D'Errico" <mike-list at pobox.com> wrote:
> 
>> Some servers apparently cannot function without renegotiation.
>> They will need to continue providing service to unpatched
>> clients for some amount of time and thus remain vulnerable.
>
> I fully agree,
> 
> However, just because a server accepts renegotiation with an unpatched
> client, does not necessarily mean that the service provided over TLS is
> vulnerable.
> 
> One example is if authentication is performed with proper channel binding in
> a layer above TLS and the service is provided under that security context.

I'm skeptical. How can "proper channel binding" be done correctly in a
layer above TLS, if the TLS library merges renegotiated sessions?
Since the session merging will result in the client and server's state
at the higher layer(s) being out of sync, nothing can be assumed about
the correct functioning of those layers.

> I second that lenient server - unpatched client must work while ensuring
> that lenient server - lenient client can't be abused using downgrade
> attacks.

Obviously *if* lenient servers are supported, then we need to make sure
that lenient patched server - lenient patched client connections are
secure. But I remain unconvinced that lenient servers need to be supported.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

Attachment: signature.asc
Description: OpenPGP digital signature

Follow-Ups:
- Re: [TLS] simplistic renego protection
  - From: Ben Laurie
- Re: [TLS] simplistic renego protection
  - From: Stefan Santesson

References:
- Re: [TLS] simplistic renego protection
  - From: Stefan Santesson

Prev by Date: [TLS] RC4+3DES rekeying - long-lived TLS connections
Next by Date: Re: [TLS] Need for S->C signaling
Previous by thread: Re: [TLS] simplistic renego protection
Next by thread: Re: [TLS] simplistic renego protection
Index(es):
- Date
- Thread

Re: [TLS] simplistic renego protection

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.