Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
Xiaoyin Liu <xiaoyin.l@outlook.com> Wed, 21 January 2015 04:01 UTC
Return-Path: <xiaoyin.l@outlook.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 202EE1A0278 for <tls@ietfa.amsl.com>; Tue, 20 Jan 2015 20:01:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.402
X-Spam-Level: *
X-Spam-Status: No, score=1.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=1, HTML_MESSAGE=0.001, MANGLED_LOW=2.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FCrdy8TJkjO8 for <tls@ietfa.amsl.com>; Tue, 20 Jan 2015 20:01:31 -0800 (PST)
Received: from BAY004-OMC1S17.hotmail.com (bay004-omc1s17.hotmail.com [65.54.190.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE0C41A0270 for <tls@ietf.org>; Tue, 20 Jan 2015 20:01:31 -0800 (PST)
Received: from BAY180-W68 ([65.54.190.59]) by BAY004-OMC1S17.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.22751); Tue, 20 Jan 2015 20:01:31 -0800
X-TMN: [YpwbqTykcJFCaoCxWW2BlSxF96IHYGW+]
X-Originating-Email: [xiaoyin.l@outlook.com]
Message-ID: <BAY180-W688DE2930CB7F231E60989FF480@phx.gbl>
Content-Type: multipart/alternative; boundary="_99eff871-74bb-4488-a368-6e9c313ed2e7_"
From: Xiaoyin Liu <xiaoyin.l@outlook.com>
To: Brian Smith <brian@briansmith.org>, "mrex@sap.com" <mrex@sap.com>
Date: Tue, 20 Jan 2015 23:01:31 -0500
Importance: Normal
In-Reply-To: <CAFewVt6LRafnJN_L=xVeiAxNcpSB+8vPYzquPfjXsduudyj+QQ@mail.gmail.com>
References: <40128f312378442fbd26459bf5d7593b@usma1ex-dag1mb2.msg.corp.akamai.com>, <20150119192701.190C71B0FF@ld9781.wdf.sap.corp>, <CAFewVt6LRafnJN_L=xVeiAxNcpSB+8vPYzquPfjXsduudyj+QQ@mail.gmail.com>
MIME-Version: 1.0
X-OriginalArrivalTime: 21 Jan 2015 04:01:31.0502 (UTC) FILETIME=[F09838E0:01D0352E]
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Hvm153k8sA5r7t8955ISPXAIs24>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jan 2015 04:01:35 -0000
Hi, I just finished a scan of Alexa top 1 million websites to test for TLS version intolerance. I hope this information can be useful in the discussion of downgrade SCSV. For each site, I made at most four attempts with the following order to fallback: (TLS 1.3, TLS 1.3) -> (TLS 1.0, TLS 1.3) -> (TLS 1.0, TLS 1.2) -> (TLS 1.0, TLS 1.0) where the first is TLS record layer version, and the second is Client Hello version. Here is the result: (1) Number of sites scanned: 1,000,001 (2) Number of DNS Error: 45,402 (3) Number of sites that refuse TCP connection on port 443 (RST, timeout): 289,334 (4) Number of sites that fail sending ServerHello in all 4 attempts: 238,846 (5) Number of sites that are tolerant to (TLS1.3, TLS1.3): 397,152 (93.1%) (6) Number of sites that need to fallback to (TLS1.0, TLS1.3): 22,461 (5.3%) (7) Number of sites that need to fallback to (TLS1.0, TLS1.2): 6,352 (1.5%) (8) Number of sites that need to fallback to (TLS1.0, TLS1.0): 454 (0.1%) The total number of TLS enabled sites is 426,419. TLS 1.3 intolerant sites (7 and 8) are about 1.6%. TLS 1.2 intolerant sites are about 0.1%. Also it shows setting a lower record layer version does improve compatibility a lot. An example is https://paypal.com is intolerant to (TLS 1.3, TLS 1.3) but is tolerant to (TLS 1.0, TLS 1.3). Please note that I did not validate certificates nor check the integrity of handshakes. I closed the connection immediately after receiving ServerHello. If my data is accurate, I am against making downgrade SCSV a proposed standard, and I believe browsers should stop insecure fallback. At least, the percentage of TLS 1.2 intolerant sites is low enough. For TLS 1.3, I think maybe browser vendors can announce a deadline, after which fallback to TLS 1.2 will no longer be accepted? Or simply break them? Both are reasonable to me. Also I want to point out that if even as few as 1.6% sites won't upgrade their servers, can we count on most of the rest 98% supporting SCSV? P.S. The statistic of Server Hello version is: (9) SSL 2.0: 0 (0.0%) (10) SSL 3.0: 413 (0.1%) (11) TLS 1.0: 176051 (41.3%) (12) TLS 1.1: 2261 (0.5%) (13) TLS 1.2: 247668 (58.1%) (14) Above TLS 1.2: 26 (0.0%, malformed response) The raw data of my scan result can be downloaded from here: https://onedrive.live.com/redir?resid=8D6F364311BB35F2!110&authkey=!AI5Kno4OzsXbkII&ithint=file%2czip. Best, Xiaoyin > Date: Mon, 19 Jan 2015 12:58:28 -0800 > From: brian@briansmith.org > To: mrex@sap.com > CC: tls@ietf.org > Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard > > Martin Rex <mrex@sap.com> wrote: > > Permitting the server to continue the TLS handshake with > > ServerHello.server_version = (ClientHello.client_version +1) > > > > This would be an extremely small change, but a *HUGE* improvement to this > > proposal and make TLS handshakes _succeed_, i.e. promote interop. > > This doesn't work. Consider this example of how your suggestion would work: > > Client and server both support TLS 1.2. > > Client attempts TLS 1.2, receives RST. > Client attempts TLS 1.1 w/ downgrade SCSV, receives RST. > Client attempts TLS 1.0 w/ downgrade SCSV, receives TLS 1.1 ServerHello. > > This results in a downgrade from TLS 1.2 to TLS 1.1. > > > Should a TLS client be unsatisfied with the properties of the resulting > > TLS session, that client could still decide attempting a new/different > > handshake by proposing additional features in ClientHello (that should > > have never been absent from ClientHello in the first place). > > I think at this point browsers are only "satisfied" when the > connection is TLS 1.2 using an AEAD cipher suite, but they still feel > the need to support servers that only support worse crypto. So, this > part of the idea doesn't work either. > > > It's not that suggestions to improvement to this proposal haven't been > > made. It's really disappointing to see this go _through_ the TLS WG > > and not seeing any improvement whatsoever, and then going straight > > to asking for rubber-stamping it. > > I don't think that the characterization of "rubber-stamping" is > accurate or helpful for moving the discussion forward. > > I DO think it would be useful for the IETF to wait ~8 weeks to see the > results of Firefox's experiment in disabling the non-secure fallback, > and to see the results of studies of TLS 1.3 intolerance with > ClientHello messages with different record-level version numbers. If > it turns out to be reasonable for web browsers to stop doing the > non-secure fallback, then it really would be bad policy for IETF to > make the downgrade a proposed standard, because the downgrade SCSV > will always be limited in effectiveness by the fact that a huge number > of servers will not deploy the downgrade SCSV mechanism any time soon. > Still, it's not clear yet that web browsers can reasonably stop doing > the non-secure fallback, so I think it makes sense to have the > downgrade SCSV mechanism ready as insurance. > > Cheers, > Brian > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-0… The IESG
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Salz, Rich
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Stephen Farrell
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Stephen Farrell
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Hanno Böck
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yuhong Bao
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Adam Langley
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Andrei Popov
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Watson Ladd
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Brian Smith
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Jeffrey Walton
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yoav Nir
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Eric Rescorla
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Salz, Rich
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Colm MacCárthaigh
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yuhong Bao
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Salz, Rich
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Brian Smith
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Salz, Rich
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Xiaoyin Liu
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yoav Nir
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Xiaoyin Liu
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Yoav Nir
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Xiaoyin Liu
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael D'Errico
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- [TLS] advertizing the minimum TLS supported versi… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Jeffrey Walton
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] advertizing the minimum TLS supported v… Michael Clark
- Re: [TLS] advertizing the minimum TLS supported v… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Hubert Kario
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Henrik Grubbström
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Henrik Grubbström
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Bodo Moeller
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Dave Garrett
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Eric Rescorla
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Michael Clark
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Henrik Grubbström
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Nikos Mavrogiannopoulos
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Stephen Farrell
- Re: [TLS] Last Call: <draft-ietf-tls-downgrade-sc… Martin Rex