________________________________
Date: Sun, 18 Jan 2015 21:12:01 +0100
From: bmoeller(_at_)acm(_dot_)org
To: ietf(_at_)ietf(_dot_)org
CC: tls(_at_)ietf(_dot_)org
Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt>
(TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing
Protocol Downgrade Attacks) to Proposed Standard
Jeffrey Walton
<noloader(_at_)gmail(_dot_)com<mailto:noloader(_at_)gmail(_dot_)com>>:
Bodo Moeller
<bmoeller(_at_)acm(_dot_)org<mailto:bmoeller(_at_)acm(_dot_)org>> wrote:
Also, quite clearly, we can't yet know how the TLS 1.3 (1.4, 1.5, ...)
rollout will work out.
The WG should be solving problems that do exist; and not manufactured
problems or theoretical future problems that don't exist.
I can't entirely agree with second part of this statement: presumably
everyone in the TLS WG is well aware of past design decisions that
didn't take into account problems that didn't exist then but should
have been foreseeable. (Related: I really shouldn't have had to
write https://www.openssl.org/~bodo/ssl-poodle.pdf to kill off the
fallback to SSL 3.0 in practice ... the "insecure fallback" to earlier
protocol versions, including SSL 3.0, was a known "theoretical
problem", and deserving of being addressed independently of concrete
attacks).
POODLE being in the news probably helped pushed admins to fix these servers,
though it wasn't initially made clear that TLS extension intolerance can also
cause SSLv3 fallback.