ietf
[Top] [All Lists]

RE: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks) to Proposed Standard

2015-01-20 09:54:40
This does not mean that every browser will do it.

True, but if FF is able to stick with this, and roll it out into production, 
that's a strong indication that other browsers may be able to do the same. And, 
of course, this eliminates the fallback problem at the root.

One remaining issue, however, is reported high rates of TLS 1.3 version 
intolerance.

Cheers,

Andrei

-----Original Message-----
From: TLS [mailto:tls-bounces(_at_)ietf(_dot_)org] On Behalf Of Yuhong Bao
Sent: Friday, January 16, 2015 12:05 PM
To: Hanno Böck; tls(_at_)ietf(_dot_)org
Cc: ietf(_at_)ietf(_dot_)org
Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS 
Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade 
Attacks) to Proposed Standard

This does not mean that every browser will do it.

----------------------------------------
Date: Fri, 16 Jan 2015 21:03:27 +0100
From: hanno(_at_)hboeck(_dot_)de
To: tls(_at_)ietf(_dot_)org
CC: ietf(_at_)ietf(_dot_)org
Subject: Re: [TLS] Last Call: <draft-ietf-tls-downgrade-scsv-03.txt> (TLS 
Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade 
Attacks) to Proposed Standard


Recently Mozilla has disabled the now so-called protocol dance, which makes 
adding another workaround (SCSV) pretty much obsolete:
https://bugzilla.mozilla.org/show_bug.cgi?id=1084025#c7

And a few days ago mozilla dev Brian Smith tweetet this:
"Fx experiment to disable non-secure TLS version fallback is going even better 
than expected. Starting to feel silly for delaying it so long."
https://twitter.com/BRIAN_____/status/555138042428526593

I think this adds further evidence that adding another workaround layer
(SCSV) is the wrong thing to do. Instead browsers should just stop doing weird 
things with protocols that compromise security and drop the protocol dance 
completely.

(By the way: Has anyone thought what happens when people implement TLS hardware 
that is version intolerant to versions> 1.2 and at the same time send SCSV in 
the handshake? I'm pretty sure that at some point some hardware will appear 
that does exactly that. Will we need another SCSV standard for every TLS 
version then?)

--
Hanno Böck
http://hboeck.de/

mail/jabber: hanno(_at_)hboeck(_dot_)de
GPG: BBB51E42

_______________________________________________
TLS mailing list
TLS(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/tls
                                          
_______________________________________________
TLS mailing list
TLS(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/tls


<Prev in Thread] Current Thread [Next in Thread>